Reply
Explorer
Posts: 7
Registered: ‎02-03-2017

Remove kerberos credentials via an API for deleted cluster hosts

Cloudera Enterprise 5.8.3

Following a cluster deletion, old Kerberos credentials remain for service principals on non-existent hosts. I am looking for an automated way to cleardown these credentials as they cause problems on new cluster builds when the IP addresses are re-used. I know how that I can clear them in Cloudera Manager->Administration->Security->Kerberos Credentials by selecting and regenerating (at which time they disappear) but I'm searching for either an Ansible or Python automation for the same.

Posts: 519
Topics: 14
Kudos: 92
Solutions: 45
Registered: ‎09-02-2016

Re: Remove kerberos credentials via an API for deleted cluster hosts

@JohnButcher

 

You have to login to your linux box where you have installed kerberos server (krb5-server) and run the following commands:

 

## To login to kerberos

$kadmin.local

 

## For help

: ?

 

## To list all the available principals

:list_principals

 

## To Delete a particular principal
:delete_principal  <principal name>


:quit

 

Just follow the above steps, Mostly this is a one time work, so I would recommend you to not spend time on automation

 

Posts: 642
Topics: 3
Kudos: 121
Solutions: 67
Registered: ‎08-16-2016

Re: Remove kerberos credentials via an API for deleted cluster hosts

What is listed in the Cloudera Manager->Administration->Security->Kerberos Credentials is what was created or found on the KDC you set up for CM. I don't know if the information is also stored in the CM database as well. If you didn't delete the principal manually from the KDC when you remove the old hosts then what probably just happened was that CM deleted it from the KDC for you (if it has the access to do so). Otherwise, the principal was gone already and there was just a reference in the CM DB.

You could script something up to clear out the principals from the KDC. You may still need to regenerate from CM to get them remove their unless you want to mess with the CM DB, which I do not recommend.
Explorer
Posts: 7
Registered: ‎02-03-2017

Re: Remove kerberos credentials via an API for deleted cluster hosts

Thanks for both responses.

 

The KDC is Windows AD. I have scripts to clear down the principals for the cluster nodes and services for when I remove the clusters. However I still see the principals listed in CM so it must be in its database. If I don't clear these down in the CM GUI then I get errors if a new cluster re-uses some of the IP addresses. The quickest way for me to clear these is to stop all clusters and MGMT services on the CM and regenerate the lot - then it deletes all the principals for non-existent nodes. I'm looking for a scripted way of selectively clearing down a lot of principals listed in CM for non-existent nodes - so that I don't have to stop everything else prior to creating a new cluster. Its also desirable as a scripted solution so I can do automated lights-out cluster builds overnight.

Explorer
Posts: 7
Registered: ‎02-03-2017

Re: Remove kerberos credentials via an API for deleted cluster hosts

I have found a table in the SCM DB called "CREDENTIALS" which has a column called "PRINCIPAL". The list corresponds exactly with what I see on the CM web page. Have tested deleting rows from this table and they do indeed disappear from the web page. This may be all I need to selectively delete credentials for nodes that are already terminated for which the principals have also already been removed. 

Announcements