Support Questions

Find answers, ask questions, and share your expertise

Enable Kerberos via Ambari Blueprint

avatar
Contributor

I'm trying to create an ambari blueprint that will provision a single node cluster using KERBEROS (see https://issues.apache.org/jira/browse/AMBARI-13431 and Ambari Blueprint Example). My confusion is around the "credentials" block in the cluster creation template. All available documentation includes this snippet:

"credentials" : [
     {
       "alias" : "kdc.admin.credential",
       "principal" : "admin/admin",
       "key" : "admin",
       "type" : "TEMPORARY"
     }
    ]

My question is this... Are the principal and key (password) included above intended to describe new credentials (to be created/used by ambari) or existing credentials previously created by calling something like:

kadmin.local -q "addprinc admin/admin"

It boils down to what KERBEROS configuration is required before using Blueprints to install and configure the cluster. In otherwords, how much of this should be done before creating the cluster via blueprints.

1 ACCEPTED SOLUTION

avatar
Super Collaborator
@Tim Veil

Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.

An admin kdc credential can be created by manually executing following command:

kadmin.local -q 'addprinc -pw admin admin/admin'

Other pre-requisites include:

1) Existing and working KDC.

2) Install and configure Kerberos client on Ambari server

3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.

View solution in original post

3 REPLIES 3

avatar
Super Collaborator
@Tim Veil

Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.

An admin kdc credential can be created by manually executing following command:

kadmin.local -q 'addprinc -pw admin admin/admin'

Other pre-requisites include:

1) Existing and working KDC.

2) Install and configure Kerberos client on Ambari server

3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.

avatar
Contributor

This was the hint I needed. Here is a link to the Vagrantfile I used to test. It includes both the Kerberos command prerequisites and the Ambari Blueprint with related calls. The key, for me, was ensuring this was run before creating submitting the blueprint.

# make sure Kerberos packages are installed
yum install krb5-libs krb5-server krb5-workstation -y

# modify Kerberos files
sed -i "s/kerberos.example.com/hdp-common-secure.hdp.local/gI" /etc/krb5.conf
sed -i "s/EXAMPLE.COM/hdp.local/gI" /etc/krb5.conf
sed -i "s/#//g" /etc/krb5.conf
sed -i "s/EXAMPLE.COM/hdp.local/gI" /var/kerberos/krb5kdc/kadm5.acl

# create Kerberos database and add principal.  "Bbh2z8HrVx" is my master password
kdb5_util create -s -P Bbh2z8HrVx
kadmin.local -q 'addprinc -pw admin admin/admin' -w Bbh2z8HrVx

# start and enable Kerberos services
systemctl start krb5kdc
systemctl enable krb5kdc
systemctl start kadmin
systemctl enable kadmin

avatar
@Tim Veil you might find this post helpful as a reference, or to integrate into your project:

https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...