Getting Started

1. Install

Download Kerby source code:

git clone

Install HAS:

cd directory-kerby
mvn clean install -Pdist -DskipTests

2. Start and configure HAS server

Deploy https

Please look at How to deploy https for details.

Configure has-server.conf in <conf_dir>:

An example of has-server.conf:

  https_host = localhost
  https_port = 8092
  filter_auth_type = kerberos

  auth_type = MySQL

Start HAS server:

cd HAS/has-dist
sh bin/ <conf_dir> <work_dir>


export HAS_CONF_DIR=<conf_dir>
export HAS_WORK_DIR=<work_dir>
cd HAS/has-dist
sh bin/

Root privileges required if https_port or KDC port numbers range from 0 to 1023.

Configure HAS plugin:

cd kerby-dist/has-dist
// Proxy needed to be removed if it exists
unset https_proxy
// Start HAS init tool
sh bin/ <conf_dir>
// Also: sh bin/, if HAS_CONF_DIR environment variable has been set.
// Plugin_name example: MySQL
HasInitTool: set_plugin <plugin_name>
HasInitTool: exit

Enable MySQL plugin

Please refer to MySQL plugin.

Enable LDAP plugin

Please refer to LDAP plugin.

Configure HAS backend:

cd kerby-dist/has-dist
// Start HAS init tool
sh bin/ <conf_dir>
// An example of json backend:
HasInitTool: config_kdcBackend json /tmp/has/jsonbackend
// An example of mysql backend:
HasInitTool: config_kdcBackend mysql jdbc:mysql:// root passwd
HasInitTool: exit

Configure HAS KDC:

cd kerby-dist/has-dist
// Start HAS init tool
sh bin/ <conf_dir>
// An example of configure HAS KDC:
HasInitTool: config_kdc localhost 88 HADOOP.COM
HasInitTool: exit

Please make sure the following configuration files exist in the conf directory: has-server.conf backend.conf kdc.conf

Start HAS KDC server:

cd kerby-dist/has-dist
// Start HAS init tool
sh bin/ <conf_dir>
HasInitTool: start
HasInitTool: exit

Init HAS server:

cd kerby-dist/has-dist
// Start HAS init tool
sh bin/ <conf_dir>
HasInitTool: init
HasInitTool: exit

Deploy http spnego

Please look at How to deploy http spnego for details. Please restart the HAS server

cd kerby-dist/has-dist
sh bin/

cd kerby-dist/has-dist
sh bin/ <conf_dir> <work_dir>

cd kerby-dist/has-dist
sh bin/ <conf_dir>
HasInitTool: start
HasInitTool: exit

Get and deploy krb5.conf:

cd kerby-dist/has-dist
// Start HAS init tool:
sh bin/ <conf_dir>
// Get krb5.conf, and put it to /etc:
HasInitTool: getkrb5 -p /etc
HasInitTool: exit

Get and deploy has-client.conf:

cd kerby-dist/has-dist
// Start HAS init tool
sh bin/ <conf_dir>
// Get has-client.conf, and put it to /etc/has:
HasInitTool: gethas -p /etc/has
HasInitTool: exit

3. Prepare for Hadoop

There are two ways to create and deploy corresponding keytabs of Hadoop.

a. Create and deploy keytabs manually

Create service principals:

cd kerby-dist/has-dist
echo { \
    HOSTS: [ \
       {"name":"<host>","hostRoles":"<role>,..., <role>"\}, \
       {"name":"<host>","hostRoles":"<role>,...,<role>"\} \
    ] \
\} > hosts.txt
// Start local hadmin tool
sh bin/ <conf_dir> -k <keytab>
// Also: sh bin/ -k <keytab>, if HAS_CONF_DIR environment variable has been set.
// Also you can use remote admin tool, admin.keytab file needed to be placed in /etc/has
sh bin/ <conf_dir>
// Also: sh bin/, if HAS_CONF_DIR environment variable has been set.
admin.local: creprincs hosts.txt
admin.local: exit

The admin.keytab file is created by the kdcinit. In local and remote hadmin tool, you can type “?” for help.

Get hostRoles list:

cd kerby-dist/has-dist
// Start local or remote hadmin tool
sh bin/ <conf_dir> -k <keytab>
admin.local: hostroles
admin.local: exit

Export service keytabs:

cd kerby-dist/has-dist
// Start local or remote hadmin tool
sh bin/ <conf_dir> -k <keytab>
// An example of exporting keytabs of localhost(hostname):
admin.local: expkeytabs localhost
admin.local: exit

b. One step to create service principals, export keytabs and deploy keytabs:

cd kerby-dist/has-dist
echo { \
    HOSTS: [ \
       {"name":"<host>","hostRoles":"<role>,..., <role>"\}, \
       {"name":"<host>","hostRoles":"<role>,...,<role>"\} \
    ] \
\} > hosts.txt

// Start local admin tool
sh bin/ <conf_dir> -k <keytab>

// deploy_keytabs [HostRoles-File] [Where-to-Deploy] [SSH-Port] [UserName] [Password]
// Where-to-Deploy: The place to store the keytabs
// UserName: The host user name
// Password: The host password
// All the hosts with the same user and password
admin.local: deploy_keytabs hosts.txt 22 /etc/has/ username password
admin.local: exit

Note: The admin.keytab file is created by the has-init. In local admin tool, you can type “?” for help.

Enable Hadoop ecosystem components