Immanuelbint Docs

Appearance

Automating kinit Using Shell Script

Problem

In Kerberized environments, authenticating as a specific Hadoop service user requires running kinit with the corresponding keytab. Doing this repeatedly for different services manually is time consuming and error prone, especially in large scale systems.

Goal

To reduce repetition by automating the kinit process based on available service keytabs, while still allowing manual override when needed.

Solution – Bash Script for Flexible kinit

Features:

  • Auto-detect service name and keytab location from a predefined list.
  • Allow manual override for custom services.
  • Validate keytab file existence before attempting authentication.
  • Print success/failure feedback.

Script Example

Create a file named kinit.sh and paste the following:

bash
#!/bin/bash
## Setup logging
function log() {
  if [[ -n "${LOG:-}" ]]; then
    printf '%s\n' "$*" | tee -a "$LOG" >&2
  else
    printf '%s\n' "$*" >&2
  fi
}
function fatal() { log "ERROR: $*"; exit 1; }

## Declare known keytabs in an associative array
declare -A KEYTABS
KEYTABS["hdfs"]="/etc/security/keytabs/hdfs.headless.keytab"
KEYTABS["yarn"]="/etc/security/keytabs/yarn.service.keytab"
KEYTABS["hbase"]="/etc/security/keytabs/hbase.service.keytab"
KEYTABS["hive"]="/etc/security/keytabs/hive.service.keytab"
KEYTABS["storm"]="/etc/security/keytabs/storm.headless.keytab"
KEYTABS["kafka"]="/etc/security/keytabs/kafka.service.keytab"
KEYTABS["solr"]="/etc/security/keytabs/solr.service.keytab"
KEYTABS["spark"]="/etc/security/keytabs/spark.service.keytab"

## Get service name input
read -r -p "Enter service name you'd like to kinit => " response
response=$(echo "$response" | tr '[:upper:]' '[:lower:]')

## Check if service exists
if [[ -n "${KEYTABS[$response]}" ]]; then
    keytab_path="${KEYTABS[$response]}"
else
    log "Service not found. Would you like to specify a custom keytab?"
    read -r -p "(y/n) => " userinput
    if [[ "$userinput" =~ ^[Yy]$ ]]; then
        read -r -p "Enter full path to keytab => " keytab_path
    else
        exit 0
    fi
fi

## Validate keytab and perform kinit
if [[ -f "$keytab_path" ]]; then
    principal=$(klist -kt "$keytab_path" | grep @ | awk '{print $NF}' | head -n 1)
    if [[ -n "$principal" ]]; then
        kinit -kt "$keytab_path" "$principal"
        log "INFO: Successfully authenticated with keytab: $keytab_path"
    else
        fatal "No principal found in keytab."
    fi
else
    fatal "Keytab file not found at $keytab_path"
fi

Usage

  1. Make the script executable:
bash
chmod +x kinit.sh
  1. Run the script:
bash
bash kinit.sh

Notes and Improvements

This script is part of an ongoing learning project and may not fully reflect best practices. Future improvements include:

  • Adding support for JSON-based config files.
  • Full automation using arguments (e.g. --service=hdfs).
  • Improved error handling and logging.
  • Secure credential handling via environment variables or vault integration.

I'm actively improving this script toward production-ready standards.