Enabling Proxy Users

Before pipelines can use proxy users with Kerberos authentication, you must install the required Kerberos client packages on the Transformer machine and then configure the environment variables used by the K5start program.

Tip: Spark recommends using a Kerberos principal and keytab rather than a proxy user. To require that pipelines be configured with a Kerberos principal and keytab, do not enable proxy users.

On Linux, install the following Kerberos client packages on the Transformer machine:
- krb5-workstation
- krb5-client
- K5start, also known as kstart
Copy the keytab file that contains the credentials for the Kerberos principal to the Transformer machine.

Add the following environment variables to the Transformer environment configuration file.Define the following environment variables on the Transformer machine.

Modify environment variables using the method required by your installation type.


Environment Variable	Description
TRANSFORMER_K5START_CMD	Absolute path to the `K5start` program on the Transformer machine.
TRANSFORMER_K5START_KEYTAB	Absolute path and name of the Kerberos keytab file copied to the Transformer machine.
TRANSFORMER_K5START_PRINCIPAL	Kerberos principal to use. Enter a service principal.

Restart Transformer.