Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Regenerating Kerberos Keytabs from Ambari API

Labels (1)
Labels:
avatar
author-rank vbonthu
Expert Contributor

Created on ‎06-04-2018 05:52 PM

Short Description:

Describes ways to manually regenerate keytabs for services through Ambari REST API

Article

Make sure KDC credentials are added to Ambari credentials store. You can follow this Article to perform.

Once KDC credentials are added. You can use the below Ambari's REST API to regenerate keytabs.

curl -H "X-Requested-By:ambari" -u <Ambari_Admin_username>:<Amabri_Admin_password> -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://<Ambari_HOST>:8080/api/v1/clusters/<Cluster_Name>/?regenerate_keytabs=all

Example : 

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://172.26.108.142:8080/api/v1/clusters/vinod/?regenerate_keytabs=all&ignore_config_updates=true


Once the Keytabs are regenerated it requires Service restart to use the newly generated keytabs.


2,343 Views
Comments

Re: Regenerating Kerberos Keytabs from Ambari API

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created on ‎09-29-2021 11:22 PM

To invoke kerberos related operations via Ambari APIs requires, we store the KDC credentials to the Ambari's credential store.

For more information on the same please refer to: https://community.cloudera.com/t5/Community-Articles/Adding-KDC-Administrator-Credentials-to-the-Amb...

 

1. To set up Ambari's credential store, the following command must be invoked from the Ambari server host's command line:

# ambari-server setup-security

Then choose option [2] Encrypt passwords stored in ambari.properties file.

 

2. Review the changes. Once this is complete, the Ambari credential store will be located at /var/lib/ambari-server/keys/credentials.jceks.

 

3. Restart ambari server.

 

4. Now we should be able to store the KDC credentials to the ambari credentials store.

 

# curl -u admin:admin -H 'X-Requested-By: ambari' -X POST -d '{ 'Credential' : {'principal' : 'admin/admin@EXAMPLE.COM', 'key' : 'admin','type' : 'persisted'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari/credentials/kdc.admin.credential

 

5. After this we should be able to run the Kerberos API calls like following:

 

Regenerate for all

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=all

 

(OR) Below is for missing once.

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=missing

Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
Version history
Last update:
‎06-04-2018 05:52 PM
Updated by:
Expert Contributor
Contributors