May 21, 2019

Airflow Kerberos Configuration

I recently set up Kerberos authentication in Airflow and and below are the steps I took. I am running Airflow in a Docker container and I will publish the setup soon.


Cunningham’s Law: “the best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer”.

Disclaimer: Please post a comment if I am wrong on anything


Prerequisites:

  • This assumes you have krb5-user installed on a Debian based OS

  • You have a valid krb5.conf in /etc

  • rc4-hmac is a permitted session key encryption type in your krb5.conf

1. Create a Kerberos keytab file using the following command

[root@test~]$ ktutil

ktuil: add_entry -password -p user@email.com -k 1 -e rc4-hmac
Password for user@email.com:

ktutil: wkt airflow.keytab

2. Set up the configuration parameters in airflow.cfg

[kerberos]
ccache = /tmp/airflow_krb5_ccache
principal = user@email.com
reinit_frequency = 3600
kinit_path = kinit
keytab = airflow.keytab

3. Set KRB5CCNAME environment variable to /tmp/airflow_krb5_ccache so libraries that need to look for cached Kerberos tickets could find it. By default applications that look for Kerberos cached tickets look in /tmp/krb5cc_${uid} so we need to override it.

export KRB5CCNAME=/tmp/airflow_krb5_ccache

References

© Mike Hosseini 2019