Security configuration and cluster settings for Kerberos on Amazon EMR
When you create a Kerberized cluster, you specify the security configuration together with Kerberos attributes that are specific to the cluster. You can't specify one set without the other, or an error occurs.
This topic provides an overview of the configuration parameters available for Kerberos when you create a security configuration and a cluster. In addition, CLI examples for creating compatible security configurations and clusters are provided for common architectures.
Kerberos settings for security configurations
You can create a security configuration that specifies Kerberos attributes using the Amazon EMR console, the AWS CLI, or the EMR API. The security configuration can also contain other security options, such as encryption. For more information, see Create a security configuration.
Use the following references to understand the available security configuration settings for the Kerberos architecture that you choose. Amazon EMR console settings are shown. For corresponding CLI options, see Specifying Kerberos settings using the AWS CLI or Configuration examples.
Parameter | Description | ||
---|---|---|---|
Kerberos |
Specifies that Kerberos is enabled for clusters that use this security configuration. If a cluster uses this security configuration, the cluster must also have Kerberos settings specified or an error occurs. |
||
Provider |
Cluster-dedicated KDC |
Specifies that Amazon EMR creates a KDC on the primary node of any cluster that uses this security configuration. You specify the realm name and KDC admin password when you create the cluster. You can reference this KDC from other clusters, if required. Create those clusters using a different security configuration, specify an external KDC, and use the realm name and KDC admin password that you specify for the cluster-dedicated KDC. |
|
External KDC |
Available only with Amazon EMR 5.20.0 and later. Specifies that clusters using this security configuration authenticate Kerberos principals using a KDC server outside the cluster. A KDC is not created on the cluster. When you create the cluster, you specify the realm name and KDC admin password for the external KDC. |
||
Ticket Lifetime |
Optional. Specifies the period for which a Kerberos ticket issued by the KDC is valid on clusters that use this security configuration. Ticket lifetimes are limited for security reasons. Cluster applications and services auto-renew tickets after they expire. Users who connect to the cluster over SSH using Kerberos credentials need to run |
||
Cross-realm trust |
Specifies a cross-realm trust between a cluster-dedicated KDC on clusters that use this security configuration and a KDC in a different Kerberos realm. Principals (typically users) from another realm are authenticated to clusters that use this configuration. Additional configuration in the other Kerberos realm is required. For more information, see Tutorial: Configure a cross-realm trust with an Active Directory domain. |
||
Cross-realm trust properties |
Realm |
Specifies the Kerberos realm name of the other realm in the trust relationship. By convention, Kerberos realm names are the same as the domain name but in all capital letters. |
|
Domain |
Specifies the domain name of the other realm in the trust relationship. |
||
Admin server |
Specifies the fully qualified domain name (FQDN) or IP address of the admin server in the other realm of the trust relationship. The admin server and KDC server typically run on the same machine with the same FQDN, but communicate on different ports. If no port is specified, port 749 is used, which is the Kerberos default. Optionally, you can specify the port (for example, |
||
KDC server |
Specifies the fully qualified domain name (FQDN) or IP address of the KDC server in the other realm of the trust relationship. The KDC server and admin server typically run on the same machine with the same FQDN, but use different ports. If no port is specified, port 88 is used, which is the Kerberos default. Optionally, you can specify the port (for example, |
||
External KDC |
Specifies that clusters external KDC is used by the cluster. |
||
External KDC properties |
Admin server |
Specifies the fully qualified domain name (FQDN) or IP address of the external admin server. The admin server and KDC server typically run on the same machine with the same FQDN, but communicate on different ports. If no port is specified, port 749 is used, which is the Kerberos default. Optionally, you can specify the port (for example, |
|
KDC server |
Specifies the fully qualified domain name (FQDN) of the external KDC server. The KDC server and admin server typically run on the same machine with the same FQDN, but use different ports. If no port is specified, port 88 is used, which is the Kerberos default. Optionally, you can specify the port (for example, |
||
Active Directory Integration |
Specifies that Kerberos principal authentication is integrated with a Microsoft Active Directory domain. |
||
Active Directory integration properties |
Active Directory realm |
Specifies the Kerberos realm name of the Active Directory domain. By convention, Kerberos realm names are typically the same as the domain name but in all capital letters. |
|
Active Directory domain |
Specifies the Active Directory domain name. |
||
Active Directory server |
Specifies the fully qualified domain name (FQDN) of the Microsoft Active Directory domain controller. |
Kerberos settings for clusters
You can specify Kerberos settings when you create a cluster using the Amazon EMR console, the AWS CLI, or the EMR API.
Use the following references to understand the available cluster configuration settings for the Kerberos architecture that you choose. Amazon EMR console settings are shown. For corresponding CLI options, see Configuration examples.
Parameter | Description |
---|---|
Realm |
The Kerberos realm name for the cluster. The Kerberos
convention is to set this to be the same as the domain
name, but in uppercase. For example, for the domain
|
KDC admin password |
The password used within the cluster for
|
Cross-realm trust principal password (optional) |
Required when establishing a cross-realm trust. The cross-realm principal password, which must be identical across realms. Use a strong password. |
Active Directory domain join user (optional) |
Required when using Active Directory in a cross-realm trust. This is the user logon name of an Active Directory account with permission to join computers to the domain. Amazon EMR uses this identity to join the cluster to the domain. For more information, see Step 3: Add accounts to the domain for the EMR Cluster. |
Active Directory domain join password (optional) |
The password for the Active Directory domain join user. For more information, see Step 3: Add accounts to the domain for the EMR Cluster. |