Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Explorer

Dear Community,

 

Actually, I have Hadoop Hortonworks Cluster with Kerberos enabled.

Users to access are in AD repository.

I can add some users and test that users could submit their jobs successfully.

 

But the issue here that I have to add every user on all nodes and also register every user keytab on all nodes.

This is ok for 1 or 2 users but not for 50 or 100

I am creating keytab using kutil , so i have to ask every user to tape his  password!!

Is there any other tip to do this?

How can I register keytabs for a domain not per user?

Should I do it per user?

Any idea will be appreciated.

 

thanks

Asma

3 REPLIES 3
Highlighted

Re: Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Expert Contributor

@asmarz You don't have to create every user manually. This can be taken care by Ambari itself. Our doc says:

When you enable Kerberos, if you choose to use an Existing MIT KDC or Existing Active Directory, the Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account credentials, and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC. This is the Kerberos Automated Setup option.

 

Please follow below doc for this:

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_managing_admin_credential...

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_use_an_existing_active_di...

Highlighted

Re: Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Explorer

Thank you for your reply 

 

I have configured first only ambari server and edge node with active directory (samba) then I have enabled kerberos i got a lot of principles generated on the Hadoop but for spark , yarn ... 

Users from AD could not connect and execute their jobs 

Then I configured others nodes name nodes and Dara nodes with Active directory and I added users manually and then they were able to use the cluster

So I don’t understand why I did not get the automatically thing for AD users  ? Should I regenerate keytabs  from the ambari server ? 
It is really a blocking issue for me ..

thanks a lot in advance 

Highlighted

Re: Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Explorer

In the second link that you have attached there is a link to centrifugal and it is about adding ticket for users , example we user .. it should be done manually for each user .. 

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here