diff --git a/docker/Dockerfile b/docker/Dockerfile
index eea0aa7..a68254d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -48,13 +48,22 @@ ENV RANGER_HOME=/opt/ranger
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 # create directories and setup perms
-RUN mkdir -p /home/ranger/dist /home/ranger/scripts /opt/ranger && \
-    chmod +rx /home/ranger /home/ranger/dist /home/ranger/scripts
+RUN mkdir -p ${RANGER_DIST} ${RANGER_SCRIPTS} ${RANGER_HOME} && \
+    chmod +rx /home/ranger ${RANGER_DIST} ${RANGER_SCRIPTS}
 
 # setup groups and users
 COPY docker/create_users_and_groups.sh ${RANGER_SCRIPTS}
 RUN chmod +x /home/ranger/scripts/create_users_and_groups.sh && \
-    ./home/ranger/scripts/create_users_and_groups.sh
+    /home/ranger/scripts/create_users_and_groups.sh
+
+# Create opensearch user and group
+RUN groupadd -g 3002 opensearch && \
+    useradd -u 3002 -g opensearch -G hadoop -s /bin/bash opensearch
+
+# copy kerberos utility scripts
+COPY docker/krb/* ${RANGER_SCRIPTS}
+RUN chmod 755 ${RANGER_SCRIPTS}/wait_for_keytab.sh && \
+    chmod 755 ${RANGER_SCRIPTS}/wait_for_testusers_keytab.sh
 
 # change ownerships
 RUN chown -R ranger:ranger /home/ranger /opt/ranger
diff --git a/docker/krb/wait_for_keytab.sh b/docker/krb/wait_for_keytab.sh
new file mode 100644
index 0000000..77d0f17
--- /dev/null
+++ b/docker/krb/wait_for_keytab.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+RETRY_COUNT="${KEYTAB_RETRY_COUNT:-5}"
+KEYTABS_DIR=/etc/keytabs
+
+KEYTAB=${KEYTABS_DIR}/$1
+
+for i in {1..RETRY_COUNT}; do
+  if [ -f ${KEYTAB} ]
+  then
+    break
+  else
+    echo [INFO] "Waiting for keytab ${KEYTAB}.."
+    sleep 5
+  fi
+done
+
+if [ -f ${KEYTAB} ]
+then
+  echo "[INFO] Found keytab ${KEYTAB}"
+  exit 0
+else
+  echo "[ERROR] Keytab not found: ${KEYTAB}"
+  exit 1
+fi
diff --git a/docker/krb/wait_for_testusers_keytab.sh b/docker/krb/wait_for_testusers_keytab.sh
new file mode 100644
index 0000000..7f887af
--- /dev/null
+++ b/docker/krb/wait_for_testusers_keytab.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+${RANGER_SCRIPTS}/wait_for_keytab.sh testuser1.keytab
+${RANGER_SCRIPTS}/wait_for_keytab.sh testuser2.keytab
+${RANGER_SCRIPTS}/wait_for_keytab.sh testuser3.keytab