https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125873#M31103 <A rel="user" href="https://community.cloudera.com/users/404/tveil.html" nodeid="404">@Tim Veil</A><P>Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.</P><P>An admin kdc credential can be created by manually executing following command:</P><P>kadmin.local -q 'addprinc -pw admin admin/admin'</P><P>Other pre-requisites include:</P><P>1) Existing and working KDC. </P><P>2) Install and configure Kerberos client on Ambari server</P><P>3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.</P> Wed, 08 Jun 2016 08:22:04 GMT jaimin 2016-06-08T08:22:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125872#M31102 <P>I'm trying to create an ambari blueprint that will provision a single node cluster using KERBEROS (see <A href="https://issues.apache.org/jira/browse/AMBARI-13431" target="_blank">https://issues.apache.org/jira/browse/AMBARI-13431</A> and <A href="https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-BlueprintExample:ProvisioningMulti-NodeHDP2.3ClustertouseKERBEROS">Ambari Blueprint Example</A>). My confusion is around the "credentials" block in the cluster creation template. All available documentation includes this snippet:</P><PRE>"credentials" : [ { "alias" : "kdc.admin.credential", "principal" : "admin/admin", "key" : "admin", "type" : "TEMPORARY" } ] </PRE><P>My question is this... Are the principal and key (password) included above intended to describe <EM><STRONG>new</STRONG> </EM>credentials (to be created/used by ambari) or <EM><STRONG>existing</STRONG> </EM>credentials previously created by calling something like:</P><PRE>kadmin.local -q "addprinc admin/admin"</PRE><P>It boils down to what KERBEROS configuration is required before using Blueprints to install and configure the cluster. In otherwords, how much of <A href="http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_Ambari_Security_Guide/content/_optional_install_a_new_mit_kdc.html">this</A> should be done before creating the cluster via blueprints. </P> Wed, 08 Jun 2016 08:10:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125872#M31102 tveil 2016-06-08T08:10:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125873#M31103 <A rel="user" href="https://community.cloudera.com/users/404/tveil.html" nodeid="404">@Tim Veil</A><P>Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.</P><P>An admin kdc credential can be created by manually executing following command:</P><P>kadmin.local -q 'addprinc -pw admin admin/admin'</P><P>Other pre-requisites include:</P><P>1) Existing and working KDC. </P><P>2) Install and configure Kerberos client on Ambari server</P><P>3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.</P> Wed, 08 Jun 2016 08:22:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125873#M31103 jaimin 2016-06-08T08:22:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125874#M31104 <A rel="user" href="https://community.cloudera.com/users/404/tveil.html" nodeid="404">@Tim Veil</A> you might find this post helpful as a reference, or to integrate into your project:<P><A href="https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.html" target="_blank">https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.html</A></P> Thu, 09 Jun 2016 01:19:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125874#M31104 amiller 2016-06-09T01:19:51Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125875#M31105 <P>This was the hint I needed. <A target="_blank" href="https://github.com/timveil/hdp-vagrant-generator/blob/master/examples/kerberos/Vagrantfile">Here</A> is a link to the Vagrantfile I used to test. It includes both the Kerberos command prerequisites and the Ambari Blueprint with related calls. The key, for me, was ensuring this was run before creating submitting the blueprint.</P><PRE># make sure Kerberos packages are installed yum install krb5-libs krb5-server krb5-workstation -y # modify Kerberos files sed -i "s/kerberos.example.com/hdp-common-secure.hdp.local/gI" /etc/krb5.conf sed -i "s/EXAMPLE.COM/hdp.local/gI" /etc/krb5.conf sed -i "s/#//g" /etc/krb5.conf sed -i "s/EXAMPLE.COM/hdp.local/gI" /var/kerberos/krb5kdc/kadm5.acl # create Kerberos database and add principal. "Bbh2z8HrVx" is my master password kdb5_util create -s -P Bbh2z8HrVx kadmin.local -q 'addprinc -pw admin admin/admin' -w Bbh2z8HrVx # start and enable Kerberos services systemctl start krb5kdc systemctl enable krb5kdc systemctl start kadmin systemctl enable kadmin </PRE> Fri, 10 Jun 2016 02:10:00 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Enable-Kerberos-via-Ambari-Blueprint/m-p/125875#M31105 tveil 2016-06-10T02:10:00Z