Docker with kerberos

Administrator: installation, configuration
#1

Hello

I’m trying to run Hue 4.8.0 inside a docker with kerberos, and I’m facing an issue during the kinit.
I’m looking for a solution.

root@myhost:~# docker pull gethue/hue:4.8.0
4.8.0: Pulling from gethue/hue
root@myhost:~# docker run -d -it -p 8888:8888 -v /tmp/hue.ini:/usr/share/hue/desktop/conf/z-hue.ini -v /etc/security/keytabs/hue.service.keytab:/etc/security/keytabs/hue.service.keytab -v /etc/krb5.conf:/etc/krb5.conf:ro gethue/hue:4.8.0 &

[12/Jan/2021 10:37:03 +0100] kt_renewer INFO Reinitting kerberos retry attempt 1 from keytab /usr/bin/kinit -k -t /etc/security/keytabs/hue.service.keytab -c /tmp/hue_krb5_ccache hue/di-dbdne-fe-develophdpcep-01.node.fe.sd.diod.tech@DIOD.TECH
[12/Jan/2021 10:37:04 +0100] kt_renewer ERROR Couldn’t reinit from keytab! `kinit’ exited with 1.
kinit: Pre-authentication failed: Permission denied while getting initial credentials

The config file hue.ini, the keytab hue.service.keytab and the kerberos config file krb5.conf are the ones that I use on the same server when I run Hue without docker.

Thanks in advance

#2

I also tried to start the docker with the default configuration, and I suceeded to execute the command kinit inside the docker container.

root@myhost:~# docker run -d -it -p 8888:8888 -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/security/keytabs/hue.service.keytab:/etc/security/keytabs/hue.service.keytab gethue/hue:4.8.0 & [1] 8563
root@myhost:~# docker exec -ti 97a943ae0515 /bin/bash
root@97a943ae0515:/usr/share/hue# /usr/bin/kinit -k -t /etc/security/keytabs/hue.service.keytab -c /tmp/hue_krb5_ccache hue/myhost@EXAMPLE.TECH -V
Using specified cache: /tmp/hue_krb5_ccache
Using principal: hue/myhost@DIOD.TECH
Using keytab: /etc/security/keytabs/hue.service.keytab
Authenticated to Kerberos v5
root@97a943ae0515:/usr/share/hue# klist -c /tmp/hue_krb5_ccache
Ticket cache: FILE:/tmp/hue_krb5_ccache
Default principal: hue/myhost@EXAMPLE.TECH

I don’t understand why the kinit failed during the start with a specific configuration file and with the same values for the kerberos parameters listed below:

[[kerberos]]

# Path to Hue's Kerberos keytab file
hue_keytab=/etc/security/keytabs/hue.service.keytab
# Kerberos principal name for Hue
hue_principal="hue/myhost@EXAMPLE.TECH"
# Frequency in seconds with which Hue will renew its keytab
#keytab_reinit_frequency=3600
# Path to keep Kerberos credentials cached
ccache_path=/tmp/hue_krb5_ccache
# Path to kinit
kinit_path=/usr/bin/kinit
#3

The error was due to the permissions on the keytab file on the host server