Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Regenerating Kerberos Keytabs from Ambari API

Labels (1)
Labels:
avatar
author-rank vbonthu
Expert Contributor

Created on ‎06-04-2018 05:52 PM

Short Description:

Describes ways to manually regenerate keytabs for services through Ambari REST API

Article

Make sure KDC credentials are added to Ambari credentials store. You can follow this Article to perform.

Once KDC credentials are added. You can use the below Ambari's REST API to regenerate keytabs.

curl -H "X-Requested-By:ambari" -u <Ambari_Admin_username>:<Amabri_Admin_password> -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://<Ambari_HOST>:8080/api/v1/clusters/<Cluster_Name>/?regenerate_keytabs=all

Example : 

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://172.26.108.142:8080/api/v1/clusters/vinod/?regenerate_keytabs=all&ignore_config_updates=true


Once the Keytabs are regenerated it requires Service restart to use the newly generated keytabs.


2,732 Views
Comments

Re: Regenerating Kerberos Keytabs from Ambari API

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created on ‎09-29-2021 11:22 PM

To invoke kerberos related operations via Ambari APIs requires, we store the KDC credentials to the Ambari's credential store.

For more information on the same please refer to: https://community.cloudera.com/t5/Community-Articles/Adding-KDC-Administrator-Credentials-to-the-Amb...

 

1. To set up Ambari's credential store, the following command must be invoked from the Ambari server host's command line:

# ambari-server setup-security

Then choose option [2] Encrypt passwords stored in ambari.properties file.

 

2. Review the changes. Once this is complete, the Ambari credential store will be located at /var/lib/ambari-server/keys/credentials.jceks.

 

3. Restart ambari server.

 

4. Now we should be able to store the KDC credentials to the ambari credentials store.

 

# curl -u admin:admin -H 'X-Requested-By: ambari' -X POST -d '{ 'Credential' : {'principal' : 'admin/admin@EXAMPLE.COM', 'key' : 'admin','type' : 'persisted'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari/credentials/kdc.admin.credential

 

5. After this we should be able to run the Kerberos API calls like following:

 

Regenerate for all

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=all

 

(OR) Below is for missing once.

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=missing

Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements
Version history
Last update:
‎06-04-2018 05:52 PM
Updated by:
Expert Contributor
Contributors