Downloading MRS Cluster User Credentials

If you develop big data applications and run them in an MRS cluster that requires Kerberos authentication, you need to prepare a user authentication file for accessing the MRS cluster. The keytab file in the authentication files is used for user authentication.

This topic describes how to download user authentication files and export the keytab file on MRS Manager.

After a user password is changed, the exported keytab file becomes invalid, and you need to export a keytab file again.

Prerequisites

Before downloading the keytab file of a Human-Machine user, the password of the user must be changed at least once on the Manager portal or a client; otherwise, the downloaded keytab file cannot be used For details, see Changing the Passwords for Manager Users of an MRS Cluster.

Downloading Authentication Credential Files (for Versions Earlier Than MRS 3.5.0)

Log in to Manager.

For MRS 3.x and later versions, choose System > Permission > User.

For versions earlier than MRS 3.x, choose System > Permission > Manage User.
Locate the row that contains the user whose keytab file needs to be exported, choose More > Download Authentication Credential, specify the save path after the file is automatically generated, and keep the file properly.

The authentication credential includes the krb5.conf file of the Kerberos service.

After the authentication credential file is decompressed, you can obtain the following two files:
- The krb5.conf file contains the authentication service connection information.
- The user.keytab file contains user authentication information.

Downloading Authentication Credential Files (for MRS 3.5.0 and Later)

Log in to FusionInsight Manager.
Choose System > Permission > User.
Locate the row that contains the target user, and choose More > Download Authentication Credential.

Select a location for downloading the authentication credential and set related parameters.

If the credential is downloaded to the server or a remote node, delete it after using it to prevent leakage.

Browser: Download the file to the local computer.
Server: Download the file to the active OMS node of the cluster.
The generated file is stored in the /tmp/FusionInsight-Keytab/ directory on the active OMS node by default. If the path does not exist, it will be created. If the path already has an authentication credential file, it will be overwritten. For user omm, write permission for the path is required.

After the file is generated, copy the downloaded package to another directory as the omm user.

Remote Node: Download the file to a node other than the active OMS node. If you select this option, you need to set the following parameters:

**Table 1** Parameters for downloading to a remote node
Parameter	Example Value	Description
Save to Path	/tmp/FusionInsight-Keytab-Remote/	Path for storing the authentication credential file. If there is already a credential file in the path, it will be overwritten. The user for logging in to the remote node must have the write permission for the path.
Host IP Address	x.x.x.x	IP address of the remote node.
Host Port	22	Host port of the remote node.
Username	xxx	Username for logging in to the remote node. The user must have the write permission for the path.
Authentication Method	Password	You can choose one of the following methods: Password: Use the password for login. None: To use this method, passwordless login needs to be enabled.
Password	xxx	Enter the password when Authentication Method is set to Password. Password for logging in to the remote node.

Click OK. Properly keep the file.

The authentication credential contains the krb5.conf file of Kerberos.

After the authentication credential file is decompressed, you can obtain the following two files:
- The krb5.conf file contains the authentication service connection information.
- The user.keytab file contains user authentication information.