Oracle Cloud Infrastructure Documentation

Managing UPST Token Exchange

Activating UPST Configuration

User principal session token (UPST) configuration allows Kerberos users on a cluster to access OCI services by exchanging their SPNEGO token with the user principal session token of a user with the same name in the integrated identity domain. At cluster creation, Big Data Service creates a Kerberos token exchange service principal named bds-iamte-xxxxx to facilitate token exchange between Kerberos and OCI Identity. As part of UPST configuration activation, the keytab for this principal is stored in OCI vault as a secret named bds-iamte-keytab-xxxxx. Big Data Service also creates an identity propagation trust configuration in the specified identity domain. These created resources are displayed on the Identity configuration details page after UPST token exchange is activated. To activate UPST configuration on a cluster, you can configure it when creating an identity configuration, or activate it in an ACTIVE identity configuration.

The required parameters include:

  • Vault ID: The vault to store keytab secret
  • Master encryption key ID: The encryption key in the selected vault to use for encrypting keytab
  • Cluster admin password: The password for the cluster admin.
Note

  • UPST configuration is only supported for HA/Secure clusters.
  • After UPST configuration is created, you must create corresponding user for Kerberos user in the identity domain with correct permission before being able to access other OCI services.

Refreshing the UPST Token Exchange Keytab

The token exchange service principal keytab is a secret and must be refreshed regularly. If the security of the keytab is compromised, you can trigger this operation to refresh token exchange service principal keytab. A new secret version is created in the vault for the refreshed keytab.

Deactivating UPST Configuration

You can deactivate UPST configuration by clicking Deactivate UPST on the Identity configuration details page. When the UPST configuration is deactivated, Big Data Service cleans up all resources created along with the configuration. After deactivation completes, the UPST susbconfig is set to INACTIVE state.

Updating UPST Configuration

After the UPST configuration is ACTIVE, you can update the location where the token exchange keytab secret is stored by clicking Edit in Identity configuration details page and provide new location to store the secret.

Note

  • This operation triggers token exchange keytab refresh.
  • If Big Data Service can't store the secret at the new vault location, the UPST configuration fails, and you must deactivate the UPST configuration and reactivate with the correct permission or input.