Running Mappings in the Hadoop Environment when Informatica Does not Use Kerberos Authentication
To run mappings in a Hadoop environment that uses Kerberos authentication when the Informatica domain does not use Kerberos authentication, you must enable mappings to run in a Hadoop environment that uses Kerberos authentication. The Hadoop cluster must use Microsoft Active Directory as the KDC.
For example, HypoStores Corporation needs to run jobs that process greater than 10 terabytes of data on a Hadoop cluster that uses Kerberos authentication. HypoStores has an Informatica domain that does not use Kerberos authentication. The HypoStores administrator must enable the Informatica domain to communicate with the Hadoop cluster. Then, the administrator must enable mappings to run on the Hadoop cluster.
The HypoStores administrator must perform the following configuration tasks:
- 1. Create matching operating system profile user names on each Hadoop cluster node.
- 2. Create the principal name for the Data Integration Service in the KDC and keytab file.
- 3. Specify the Kerberos authentication properties for the Data Integration Service.
Step 1. Create Matching Operating System Profile Names
Create matching operating system profile user names on the machine that runs the Data Integration Service and each Hadoop cluster node to run Informatica mapping jobs.
For example, if user joe runs the Data Integration Service on a machine, you must create the user joe with the same operating system profile on each machine on which a Hadoop cluster node runs.
Open a UNIX shell and enter the following UNIX command to create a user with the user name joe.
useradd joe
Step 2. Create the Principal Names and Keytab File in the AD KDC
Create an SPN in the KDC database for Microsoft Active Directory service that matches the user name of the user that runs the Data Integration Service. Create a keytab file for the SPN on the machine where the KDC runs. Then, copy the keytab file to the machine where the Data Integration Service runs.
To create an SPN and Keytab file in the Active Directory server, complete the following steps:
- Create a user in the Microsoft Active Directory Service.
- Login to the machine on which the Microsoft Active Directory Service runs and create a user with the same name as the user you created in Step 1. Create Matching Operating System Profile Names.
- Create an SPN associated with the user.
- Use the following guidelines when you create the SPN and keytab files:
- - The user principal name (UPN) must be the same as the SPN.
- - Enable delegation in Microsoft Active Directory.
- - Use the ktpass utility to create an SPN associated with the user and generate the keytab file.
For example, enter the following command:
ktpass -out infa_hadoop.keytab -mapuser joe -pass tempBG@2008 -princ joe/domain12345@INFA-AD-REALM -crypto all
The -out parameter specifies the name and path of the keytab file. The -mapuser parameter is the user to which the SPN is associated. The -pass parameter is the password for the SPN in the generated keytab. The -princ parameter is the SPN.
Step 3. Specify the Kerberos Authentication Properties for the Data Integration Service
When you run the Hadoop Configuration Manager, you enter values for the following properties that enable the Data Integration Service to connect to a Hadoop cluster that uses Kerberos authentication:
- Hadoop Kerberos Service Principal Name
- Service Principal Name (SPN) of the Data Integration Service to connect to a Hadoop cluster that uses Kerberos authentication.
- Hadoop Kerberos Keytab
- Path and file name of the Kerberos keytab file on the machine on which the Data Integration Service runs.