Support Questions

Find answers, ask questions, and share your expertise

Does Kerberos needs to be redone after a Hadoop Upgrade

avatar
Contributor

Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

View solution in original post

3 REPLIES 3

avatar

I assumed that this was in the documentation, but a quick search revealed that it is not. After upgrading either Ambari or HDP (or both), you should regenerate the missing keytab files and restart the services by

  1. Log into Ambari using an Ambari Administrator account
  2. Go to the Kerberos Administrator page (Admin -> Kerberos)
  3. Click on Regenerate Keytabs button
  4. On the first page of the dialog that appears, click on the checkbox for "Only regenerate keytabs for missing hosts and components"
  5. Continue to the next page
  6. Click on the checkbox for "Automatically restart components after keytab regeneration"
  7. Complete the dialog

As of Ambari 2.5.x and below, Ambari does not have a way to automatically create new Kerberos identities or keytab files during either the Ambari or stack upgrade processes. So the user is expected to do this manually using the steps above.

avatar
Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

avatar
Contributor

Thanks Graham and Robert. This is helpful.