Step 6: Get or Create a Kerberos Principal for Each User Account
Now that Kerberos is configured and enabled on your cluster, you and every other Hadoop user must have a Kerberos principal or keytab to obtain Kerberos credentials to be allowed to access the cluster and use the Hadoop services. In the next step of this procedure, you will need to create your own Kerberos principals to verify that Kerberos security is working on your cluster. If you and the other Hadoop users already have a Kerberos principal or keytab, or if your Kerberos administrator can provide them, you can skip ahead to the next step.
The following instructions explain how to create a Kerberos principal for a user account.
If you are using Active Directory
Add a new AD user account for each new user that should have access to the cluster. You do not need to make any changes to existing user accounts.
If you are using MIT KDC
- In the kadmin.local or kadmin shell, use the following command to create user principals by replacing YOUR-LOCAL-REALM.COM with the name of your realm, and replacing USERNAME with a username:
kadmin: addprinc USERNAME@YOUR-LOCAL-REALM.COM
- Enter and re-enter a password when prompted.