Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement

Regenerating Kerberos Keytabs from Ambari API

Labels (1)
Labels:
avatar
author-rank vbonthu
Expert Contributor

Created on ‎06-04-2018 05:52 PM

Short Description:

Describes ways to manually regenerate keytabs for services through Ambari REST API

Article

Make sure KDC credentials are added to Ambari credentials store. You can follow this Article to perform.

Once KDC credentials are added. You can use the below Ambari's REST API to regenerate keytabs.

curl -H "X-Requested-By:ambari" -u <Ambari_Admin_username>:<Amabri_Admin_password> -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://<Ambari_HOST>:8080/api/v1/clusters/<Cluster_Name>/?regenerate_keytabs=all

Example : 

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Clusters": { "security_type" : "KERBEROS" } }' http://172.26.108.142:8080/api/v1/clusters/vinod/?regenerate_keytabs=all&ignore_config_updates=true


Once the Keytabs are regenerated it requires Service restart to use the newly generated keytabs.


3,381 Views
Comments

Re: Regenerating Kerberos Keytabs from Ambari API

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created on ‎09-29-2021 11:22 PM

To invoke kerberos related operations via Ambari APIs requires, we store the KDC credentials to the Ambari's credential store.

For more information on the same please refer to: https://community.cloudera.com/t5/Community-Articles/Adding-KDC-Administrator-Credentials-to-the-Amb...

 

1. To set up Ambari's credential store, the following command must be invoked from the Ambari server host's command line:

# ambari-server setup-security

Then choose option [2] Encrypt passwords stored in ambari.properties file.

 

2. Review the changes. Once this is complete, the Ambari credential store will be located at /var/lib/ambari-server/keys/credentials.jceks.

 

3. Restart ambari server.

 

4. Now we should be able to store the KDC credentials to the ambari credentials store.

 

# curl -u admin:admin -H 'X-Requested-By: ambari' -X POST -d '{ 'Credential' : {'principal' : 'admin/admin@EXAMPLE.COM', 'key' : 'admin','type' : 'persisted'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari/credentials/kdc.admin.credential

 

5. After this we should be able to run the Kerberos API calls like following:

 

Regenerate for all

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=all

 

(OR) Below is for missing once.

 

curl -u admin:admin -H 'X-Requested-By: ambari' -X PUT -d '{'Clusters':{'security_type':'KERBEROS'}}' http://example.com:8080/api/v1/clusters/kerberos_ambari?regenerate_keytabs=missing

Announcements
Community Announcements
December 2025 Community Highlights
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements
Version history
Last update:
‎06-04-2018 05:52 PM
Updated by:
Expert Contributor
Contributors