Configure Kerberos Authentication
Ice Flow supports per-catalog Kerberos authentication, enabling secure access to Hadoop and Hive catalogs that require Kerberos tickets. Each catalog can authenticate as a different principal, so you can connect to multiple secured clusters simultaneously.
Enable Kerberos on a Catalog
- Create or edit a catalog (see Manage Catalogs)
- Set the Authentication field to Kerberos
- Fill in the Kerberos fields (see below)
- Save the catalog
Required Fields
Principal
The Kerberos principal to authenticate as:
- Standard form:
iceflow@EXAMPLE.COM - With hostname:
iceflow/host.example.com@EXAMPLE.COM - Headless (no hostname):
hdfs@EXAMPLE.COM
If the principal contains _HOST, it is automatically resolved to the local
hostname at login time.
Keytab
The keytab contains the encrypted credentials for the principal. Provide it in one of two ways:
File path on server (default)
: Enter the absolute path to a keytab file on the Ice Flow host, e.g.
/etc/security/keytabs/iceflow.keytab. The file must be readable by the
user running the Ice Flow process.
Upload keytab file
: Click the upload toggle and select a .keytab file from your local machine.
The file content is stored securely as part of the catalog configuration.
This is useful when you cannot place files on the server directly (e.g.
container deployments).
Optional: Override krb5.conf
If the Ice Flow host's /etc/krb5.conf does not include the KDC configuration
for this catalog's Kerberos realm:
- Check Override krb5.conf content
- Paste the realm-specific
krb5.confcontent into the text field
Ice Flow merges every catalog's snippet (plus the host file) into a single
krb5.conf for the JVM, so multiple catalogs in non-cross-realm clusters can
coexist without one overwriting the others. You can inspect the merged result
on the Authentication page.
Example snippet for a single catalog:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
If you need full control over the merged krb5.conf — for site-wide encryption
types, [capaths] for cross-realm trust, or any other directive that auto-merge
cannot infer — switch the Authentication
page to Manual mode and supply the file verbatim.
Supported Catalog Types
Kerberos authentication is primarily used with Hadoop and Hive catalogs, which rely on Hadoop's security layer. Other catalog types use their own authentication mechanisms:
| Catalog type | Kerberos support | Notes |
|---|---|---|
| Hadoop | Yes | Primary use case |
| Hive | Yes | SASL transport configured automatically |
| JDBC | No | Uses JDBC credentials |
| AWS Glue | No | Uses AWS IAM credentials |
| REST | No | Uses REST API tokens |
| Nessie | No | Uses Nessie API tokens |
Hive Metastore SASL Configuration
For Kerberized Hive catalogs, Ice Flow automatically injects the SASL transport properties required by the Hive Metastore Thrift client:
metastore.sasl.enabled = truehive.metastore.sasl.enabled = true- HMS service principal derived from the catalog principal's realm (defaults to
hive/_HOST@REALM, where_HOSTis substituted by the Hive metastore client with the metastore hostname from the catalog URI)
You do not need to set these properties manually. If the HMS is registered
under a non-standard service name, set kerberos_hms_principal on the catalog
to override the default. A raw hive.metastore.kerberos.principal or
metastore.kerberos.principal catalog property (e.g. carried over from a
hive-site.xml import) is also honoured and takes precedence over the
auto-derived default.
Storage Access
A catalog's Kerberos credentials are used for all operations, including reading and writing data files in HDFS warehouses. There is no separate authentication for warehouses — the catalog principal must have read/write access to the warehouse paths used by that catalog.
Multi-Realm Replication
When replicating between catalogs in different Kerberos realms, each catalog is configured with its own principal and keytab. Cross-realm trust is not required.
During replication:
- Source file reads use the source catalog's principal
- Target file writes use the target catalog's principal
Ice Flow manages separate Kerberos identity contexts per catalog.
Obtaining a Keytab
Use kadmin or your cluster's identity management tool to create a service
principal and export a keytab:
# Create a principal
kadmin -q "addprinc -randkey iceflow@EXAMPLE.COM"
# Export the keytab
kadmin -q "ktadd -k /etc/security/keytabs/iceflow.keytab iceflow@EXAMPLE.COM"
# Set restrictive permissions
chmod 600 /etc/security/keytabs/iceflow.keytab
Verify the keytab contains the expected principal:
klist -k /etc/security/keytabs/iceflow.keytab