Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Does Kerberos needs to be redone after a Hadoop Upgrade

Explorer

Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks

1 ACCEPTED SOLUTION

Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

View solution in original post

3 REPLIES 3

I assumed that this was in the documentation, but a quick search revealed that it is not. After upgrading either Ambari or HDP (or both), you should regenerate the missing keytab files and restart the services by

  1. Log into Ambari using an Ambari Administrator account
  2. Go to the Kerberos Administrator page (Admin -> Kerberos)
  3. Click on Regenerate Keytabs button
  4. On the first page of the dialog that appears, click on the checkbox for "Only regenerate keytabs for missing hosts and components"
  5. Continue to the next page
  6. Click on the checkbox for "Automatically restart components after keytab regeneration"
  7. Complete the dialog

As of Ambari 2.5.x and below, Ambari does not have a way to automatically create new Kerberos identities or keytab files during either the Ambari or stack upgrade processes. So the user is expected to do this manually using the steps above.

Expert Contributor

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

Explorer

Thanks Graham and Robert. This is helpful.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.