02-03-2017 08:27 AM
Cloudera Enterprise 5.8.3
Following a cluster deletion, old Kerberos credentials remain for service principals on non-existent hosts. I am looking for an automated way to cleardown these credentials as they cause problems on new cluster builds when the IP addresses are re-used. I know how that I can clear them in Cloudera Manager->Administration->Security->Kerberos Credentials by selecting and regenerating (at which time they disappear) but I'm searching for either an Ansible or Python automation for the same.
02-03-2017 10:37 AM
You have to login to your linux box where you have installed kerberos server (krb5-server) and run the following commands:
## To login to kerberos
## For help
## To list all the available principals
## To Delete a particular principal
:delete_principal <principal name>
Just follow the above steps, Mostly this is a one time work, so I would recommend you to not spend time on automation
02-03-2017 11:55 AM
02-07-2017 02:39 AM
Thanks for both responses.
The KDC is Windows AD. I have scripts to clear down the principals for the cluster nodes and services for when I remove the clusters. However I still see the principals listed in CM so it must be in its database. If I don't clear these down in the CM GUI then I get errors if a new cluster re-uses some of the IP addresses. The quickest way for me to clear these is to stop all clusters and MGMT services on the CM and regenerate the lot - then it deletes all the principals for non-existent nodes. I'm looking for a scripted way of selectively clearing down a lot of principals listed in CM for non-existent nodes - so that I don't have to stop everything else prior to creating a new cluster. Its also desirable as a scripted solution so I can do automated lights-out cluster builds overnight.
02-08-2017 08:52 AM
I have found a table in the SCM DB called "CREDENTIALS" which has a column called "PRINCIPAL". The list corresponds exactly with what I see on the CM web page. Have tested deleting rows from this table and they do indeed disappear from the web page. This may be all I need to selectively delete credentials for nodes that are already terminated for which the principals have also already been removed.