Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Does Kerberos needs to be redone after a Hadoop Upgrade

Solved Go to solution

Does Kerberos needs to be redone after a Hadoop Upgrade

Explorer

Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Does Kerberos needs to be redone after a Hadoop Upgrade

Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

View solution in original post

3 REPLIES 3
Highlighted

Re: Does Kerberos needs to be redone after a Hadoop Upgrade

I assumed that this was in the documentation, but a quick search revealed that it is not. After upgrading either Ambari or HDP (or both), you should regenerate the missing keytab files and restart the services by

  1. Log into Ambari using an Ambari Administrator account
  2. Go to the Kerberos Administrator page (Admin -> Kerberos)
  3. Click on Regenerate Keytabs button
  4. On the first page of the dialog that appears, click on the checkbox for "Only regenerate keytabs for missing hosts and components"
  5. Continue to the next page
  6. Click on the checkbox for "Automatically restart components after keytab regeneration"
  7. Complete the dialog

As of Ambari 2.5.x and below, Ambari does not have a way to automatically create new Kerberos identities or keytab files during either the Ambari or stack upgrade processes. So the user is expected to do this manually using the steps above.

Highlighted

Re: Does Kerberos needs to be redone after a Hadoop Upgrade

Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

View solution in original post

Highlighted

Re: Does Kerberos needs to be redone after a Hadoop Upgrade

Explorer

Thanks Graham and Robert. This is helpful.

Don't have an account?
Coming from Hortonworks? Activate your account here