Support Questions

gvishal · ‎06-01-2017

Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks

gmartin · ‎06-01-2017

@Vishal Gupta

Would always advise to review the documentation on the Ambari and HDP upgrade. Generally, no, you don't need to re-gen all of the keytabs or SSL in the cluster as part of an upgrade - though Ambari will generate keytabs as required post-upgrade.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-upgrade/content/upgrading_HDP_pos...

There are certain cases which need some attention (e.g. Kafka at 2.2, Ranger HA, etc.).

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/index.html

You can raise a ticket with Hortonworks Support prior to the upgrade, as they can inform you on any known issues (if you have a subscription). Also, would recommend to move to 2.5.5 if moving to 2.5.

And testing is imperative. Would advise to test all of the components under representative use cases.

View solution in original post

rlevas · ‎06-01-2017

I assumed that this was in the documentation, but a quick search revealed that it is not. After upgrading either Ambari or HDP (or both), you should regenerate the missing keytab files and restart the services by

Log into Ambari using an Ambari Administrator account
Go to the Kerberos Administrator page (Admin -> Kerberos)
Click on Regenerate Keytabs button
On the first page of the dialog that appears, click on the checkbox for "Only regenerate keytabs for missing hosts and components"
Continue to the next page
Click on the checkbox for "Automatically restart components after keytab regeneration"
Complete the dialog

As of Ambari 2.5.x and below, Ambari does not have a way to automatically create new Kerberos identities or keytab files during either the Ambari or stack upgrade processes. So the user is expected to do this manually using the steps above.

gmartin · ‎06-01-2017