Enabling Kerberos Authentication

Sparkling Water can use Kerberos for user authentication. You need to have login.conf with the content similar to the one below:

krb5loginmodule {
     com.sun.security.auth.module.Krb5LoginModule required
     java.security.krb5.realm="0XDATA.LOC"
     java.security.krb5.kdc="kerberos.0xdata.loc";
};

This configuration file needs to be modified for your specific Kerberos configuration.

Generally, to enable Kerberos authentication you need to set the following environmental properties:

  • spark.ext.h2o.kerberos.login=true

  • spark.ext.h2o.login.conf=kerberos.conf

  • spark.ext.h2o.user.name=username

where kerberos.conf is the configuration file for the Kerberos connection and username is a username of your Kerberos account that will be used for authentication to the H2O-3 cluster.

Configuring Kerberos Auth in Scala

You can pass the required properties directly as Spark properties, such as:

./bin/sparkling-shell \
--conf spark.ext.h2o.kerberos.login=true \
--conf spark.ext.h2o.login.conf=kerberos.conf \
--conf spark.ext.h2o.user.name=username

And later, you can create H2OContext as:

import org.apache.spark.h2o._
val conf = new H2OConf(spark).setUserName("username").setPassword("password")
val hc = H2OContext.getOrCreate(spark, conf)

Or, you can also use setters available on H2OConf as:

import org.apache.spark.h2o._
val conf = new H2OConf(spark).setLoginConf("kerberos.conf").setKerberosLoginEnabled().setUserName("username").setPassword("password")
val hc = H2OContext.getOrCreate(spark, conf)

Later when accessing Flow, you will be asked for the username and password of the user you specified in the configuration property spark.ext.h2o.user.name or via the method setUserName.

Configuring Kerberos Auth in Python (PySparkling)

You can pass the required properties directly as Spark properties, such as:

./bin/pysparkling \
--conf spark.ext.h2o.kerberos.login=true \
--conf spark.ext.h2o.login.conf=kerberos.conf \
--conf spark.ext.h2o.user.name=username

And later, you can create H2OContext as:

from pysparkling import *
conf = H2OConf(spark).setUserName("username").setPassword("password")
hc = H2OContext.getOrCreate(spark, conf)

Or, you can also use setters available on H2OConf as:

from pysparkling import *
conf = H2OConf(spark).setLoginConf("kerberos.conf").setKerberosLoginEnabled().setUserName("username").setPassword("password")
hc = H2OContext.getOrCreate(spark, conf)

You can see that in the case of PySparkling, you need to also specify the username and password as part of the H2OContext call. This is required because you want to have the Python client authenticated as well.

Later when accessing Flow, you will be asked for the username and password of the user you specified in the configuration property spark.ext.h2o.user.name or via the method setUserName.