How do I renew an expired Kerberos ticket that I use for Amazon EMR authentication?

Resolution

To renew an expired Kerberos ticket, complete the following steps:

1. To connect to the Amazon EMR primary node, use SSH.

2. To confirm that the Kerberos ticket is expired, run the klist command. If no credentials are cached, then the ticket is expired.

   [hadoop@ip-xxx-x-x-xxx ~]$ klist
   klist: No credentials cache found (filename: /tmp/krb5cc_498)

3. To confirm the Kerberos principal name, list the contents of the keytab file:

   [hadoop@ip-xxx-x-x-xxx ~]$ klist -kt /etc/hadoop.keytab
   Keytab name: FILE:/etc/hadoop.keytab
   KVNO Timestamp           Principal
   ---- ------------------- ------------------------------------------------------
      2 07/04/2019 21:48:46 hadoop/ip-xxx-x-x-xxx.ec2.internal@EC2.INTERNAL
      2 07/04/2019 21:48:46 hadoop/ip-xxx-x-x-xxx.ec2.internal@EC2.INTERNAL
      2 07/04/2019 21:48:46 hadoop/ip-xxx-x-x-xxx.ec2.internal@EC2.INTERNAL

4. To renew the Kerberos ticket, run kinit. Specify the keytab file and the principal:

   [hadoop@ip-xxx-x-x-xxx ~]$ kinit -kt /etc/hadoop.keytab hadoop/ip-xxx-x-x-xxx.ec2.internal@EC2.INTERNAL

5. Confirm that the credentials are cached:

   [hadoop@ip-xxx-x-x-xxx ~]$ klist
   Ticket cache: FILE:/tmp/krb5cc_498
   Default principal: hadoop/ip-xxx-x-x-xxx.ec2.internal@EC2.INTERNAL
   Valid starting       Expires              Service principal
   11/04/2019 22:13:47  11/05/2019 08:13:47  krbtgt/EC2.INTERNAL@EC2.INTERNAL
   renew until 11/06/2019 22:13:47

6. To confirm that the Kerberos ticket works, run an HDFS command:

   [hadoop@ip-XXX-XX-XX-XXX ~]$ hdfs dfs -ls /
   Found 4 items
   drwxr-xr-x   - hdfs hadoop          0 2019-11-05 22:45 /apps
   drwxrwxrwt   - hdfs hadoop          0 2019-11-05 22:46 /tmp
   drwxr-xr-x   - hdfs hadoop          0 2019-11-05 22:45 /user
   drwxr-xr-x   - hdfs hadoop          0 2019-11-05 22:45 /var

Related information

Use Kerberos for authentication with Amazon EMR