Updating the Kerberos keytab file

If you update BDD's current keytab file or create a new one, you can use the bdd-admin script to publish the new or updated file to the rest of the cluster.

1. On the Admin Server, edit the current BDD keytab file or create a new one.

   The current file is named bdd.keytab and located in $BDD_HOME/common/kerberos.

2. Go to $BDD_HOME/BDD_manager/bin and run:

   ./bdd-admin.sh publish-config kerberos -t <file>

   Where <path> is the absolute path to the new or modified keytab file.
3. Restart your cluster so the changes take effect:

   ./bdd-admin.sh restart

   The above command will shut the cluster down gracefully, which may take a long time. You can optionally specify -t <minutes> to force a shutdown sooner.
4. On each Transform Service node, restart k5start with the new keytab file by running the following command from $BDD_HOME/transformservice/:

   ./k5start -f $KERBEROS_KEYTAB_PATH -K <ticket_refresh> 
   -l <ticket_lifetime> $KERBEROS_PRINCIPAL -b > <logfile> 2>&1

   Where:

   • $KERBEROS_KEYTAB_PATH and $KERBEROS_PRINCIPAL are the values of those properties defined in bdd.conf. Be sure to use the path to the new keytab file.
   • <ticket_refresh> is the rate at which the Transform Service's Kerberos ticket is refreshed, in minutes. For example, a value of 60 would set its ticket to be refreshed every 60 minutes, or every hour. You can optionally use the value for KERBEROS_TICKET_REFRESH_INTERVAL in bdd.conf.
   • <ticket_lifetime> is the amount of time the Transform Service's Kerberos ticket is valid for. This should be given as a number followed by a supported unit of time: s, m, h, or d. For example, 10h (10 hours) or 10m (10 minutes). You can optionally use the value for KERBEROS_TICKET_LIFETIME in bdd.conf.
   • <logfile> is the absolute path to the log file you want k5start to write to.