Contents:
This document describes how to set up a Alteryx® user in Kerberos.
- Kerberos provides authentication services across a wide variety of platforms. See http://www.kerberos.org/.
Before you begin, please verify the following: The NOTE: If LDAP is enabled, the On the Alteryx host, the directory The NOTE: The Steps: Create a keytab file for the Alteryx principal. Command: where: On the KDC, you may have to run NOTE: If you're creating a keytab file in an AD environment, alternative instructions may need to be applied. See below. Verify that the keytab is working. Command: Configure the keytab file so that it is owned by the NOTE: Verify that all user principals that use the platform are also members of the group of the keytab user. Some additional instructions are provided for the following environments. For MIT Kerberos For Hiemdal Kerberos If the keytab created in Heimdal does not work, you may need an The Alteryx Command Line Interface can reference a Kerberos keytab file to enable access to the platform without supplying passwords. After you have created the keytab, please complete the following steps. NOTE: You must create a separate keytab file for the CLI. This keytab file must be created for the platform user that is connecting to the platform through the CLI, which is different from the Steps: Export the following environment variables, where You can apply this change through the Admin Settings Page (recommended) or Locate the Example configuration: Substitute your own values in place of the example values as appropriate. List of jobtrackers and namenodes that are governed by Kerberos NOTE: NOTE: If you don't know the values to use here, see Set principal values below. NOTE: If you don't specify principal names in the At this point, you should be able to load files from HDFS and run jobs against the kerberized Hadoop cluster. Check the following Hadoop config properties in Pre-requisites for Kerberos integration
[hadoop.user
(default=trifacta
)]
user is created and enabled on each node in the Hadoop cluster.trifacta
should be created in the same realm as the cluster./opt/trifacta
is owned by the [hadoop.user]
user.[hadoop.user]
user exists on each node in the Hadoop cluster.[hadoop.user]
must have the same user ID and group ID on each node in the cluster. Depending on your cluster's configuration, this requirement may require an LDAP command. Configuring LDAP is beyond the scope of this document.[hadoop.user]
user must be a member of any special group that is permitted to access HDFS or to run Hadoop jobs.Configure the KDC
trifacta@HADOOPVAL.MSSVC.LOCAL
has the name trifacta
and the realm HADOOPVAL.MSSVC.LOCAL
. kadmin xst -k trifacta.keytab <full principal identifier>
<full_principal_identifier>
is the principal identifier in Kerberos. kadmin.local
instead of kadmin
. The rest of the arguments should remain the same.klist -e -k -t trifacta.keytab
/opt/trifacta/conf/trifacta.keytab
[hadoop.user]
user. It should only be readable by that user.Create keytab in Active Directory environments
> ktutil
ktutil: addent -password -p username@EXAMPLE.COM -k 1 -e rc4-hmac
Password for username@EXAMPLE.COM: [enter your password]
ktutil: addent -password -p username@EXAMPLE.COM -k 1 -e aes256-cts
Password for username@EXAMPLE.COM: [enter your password]
ktutil: wkt username.keytab
ktutil: quit
> ktutil -k username.keytab add -p username@EXAMPLE.COM -e arcfour-hmac-md5 -V 1
aes256-cts
entry. In this case, locate a machine with MIT Kerberos, and use the MIT Kerberos method instead.Enable use of Kerberos keytab by Command Line Interface
[hadoop.user]
user keytab that is used by the platform to connect to the cluster.username
corresponds to the user ID that is to be used to connect to the platform:export KRB5_CLIENT_KTNAME=/path/to/the/username.keytab
export GSS_KRB5_NT_PRINCIPAL_NAME=username
Configure the Designer Cloud Powered by Trifacta platform for Kerberos
trifacta-conf.json
.
For more information, see Platform Configuration Methods.kerberos
section, which controls Kerberos authentication."kerberos.enabled": true,
"kerberos.principal": "trifacta",
"kerberos.kdc": "kdc.mssvc.local",
"kerberos.realm": "HADOOPVAL.MSSVC.LOCAL",
"kerberos.keytab": "/opt/trifacta/conf/trifacta.keytab"
"kerberos.principals.hive": "<UNUSED>",
"kerberos.principals.namenode": "nn/_HOST@EXAMPLE.COM"
"kerberos.principals.resourcemanager": "<YOUR_VALUE_HERE>",
Parameter Description enabled To enable Kerberos authentication, set this value to true
.principal The name part of the principal you created in the KDC kdc The host of the KDC realm Realm of the KDC keytab principals kerberos.principals.hive
is unused. This value must be inserted into the Hive connection definition. See Create Hive Connections.principals
definition section, the default names are used: mapred/<jobtracker host>@<realm>
. You should specify the principals explicitly.Set principal values for YARN
yarn-site.xml
:principals.jobtracker = yarn.resourcemanager.principal
principals.namenode = dfs.namenode.kerberos.principal
This page has no comments.