in sagemaker_studio_sparkmagic_lib/emr.py [0:0]
def get_krb_conf(self):
"""
Generate kerberos configuration parameters for a given EMR cluster.
These configuration parameters are used for constructing krb5.conf
Returned configuration is a two layered dictionary with top level keys for "sections"
defined in kerberos config
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#sections
{
"libdefaults": {}
"realms": {}
"domain_realm": {}
}
"""
# Good overview of kerberos configuration
# https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html#emr-kerberos-cli-parameters
# Kerberos server config on EMR cluster
properties = {}
emr_realm_name = self._cluster["KerberosAttributes"]["Realm"]
# DNS Search value is used for domain_realm mappings and other kerberos properties
# We have learned that using DNS Search is needed instead of AWS default DNS values for kerberos to work
search = utils.get_domain_search(self._get_region())
emr_realm_attr = {
"kdc": f"{self.primary_node_private_dns_name()}:88",
"admin_server": f"{self.primary_node_private_dns_name()}:749",
"default_domain": f"{search}",
}
properties["realms"] = {emr_realm_name: emr_realm_attr}
properties["libdefaults"] = {"default_realm": emr_realm_name}
# map emr realm to domain search value
properties["domain_realm"] = {
search: f"{emr_realm_name}",
# not the same key as above. There is a dot at the beginning of key
f".{search}": f"{emr_realm_name}",
}
sec_krb_conf = self._sec_conf["AuthenticationConfiguration"][
"KerberosConfiguration"
]
krb_provider = sec_krb_conf["Provider"]
if krb_provider == "ClusterDedicatedKdc":
kdc_conf = sec_krb_conf["ClusterDedicatedKdcConfiguration"]
properties["libdefaults"][
"ticket_lifetime"
] = f'{kdc_conf.get("TicketLifetimeInHours", "24")}h'
if "CrossRealmTrustConfiguration" in kdc_conf:
cross_real_conf = kdc_conf["CrossRealmTrustConfiguration"]
cross_realm = cross_real_conf["Realm"]
cross_domain = cross_real_conf["Domain"]
properties["realms"][cross_real_conf["Realm"]] = {
"kdc": cross_real_conf["KdcServer"],
"admin_server": cross_real_conf["AdminServer"],
"default_domain": cross_real_conf["Domain"],
}
properties["domain_realm"][cross_domain] = cross_realm
properties["domain_realm"][f".{cross_domain}"] = cross_realm
elif krb_provider == "ExternalKdc":
kdc_conf = sec_krb_conf["ExternalKdcConfiguration"]
properties["libdefaults"][
"ticket_lifetime"
] = f'{kdc_conf.get("TicketLifetimeInHours", "24")}h'
# For external kdc configuration default realm-properties should point to external kdc server
emr_realm_attr = {
"kdc": kdc_conf["KdcServer"],
"admin_server": kdc_conf["AdminServer"],
"default_domain": f"{search}",
}
properties["realms"][emr_realm_name] = emr_realm_attr
ad_integ_conf = kdc_conf["AdIntegrationConfiguration"]
properties["realms"][ad_integ_conf["AdRealm"]] = {
# For external kdc configuration parameter AdServer is not documented in EMR public docs
# We found from some use cases that parameter AdServer Exists
# and it should be used as KDC Server
"kdc": ad_integ_conf.get("AdServer", ad_integ_conf["AdDomain"]),
"admin_server": ad_integ_conf.get(
"AdServer", ad_integ_conf["AdDomain"]
),
"default_domain": ad_integ_conf["AdDomain"],
}
ext_realm = ad_integ_conf["AdRealm"]
ext_domain = ad_integ_conf["AdDomain"]
properties["domain_realm"][ext_domain] = ext_realm
properties["domain_realm"][f".{ext_domain}"] = ext_realm
return properties