Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enable Kerberos via Ambari Blueprint

Solved Go to solution
Highlighted

Enable Kerberos via Ambari Blueprint

Explorer

I'm trying to create an ambari blueprint that will provision a single node cluster using KERBEROS (see https://issues.apache.org/jira/browse/AMBARI-13431 and Ambari Blueprint Example). My confusion is around the "credentials" block in the cluster creation template. All available documentation includes this snippet:

"credentials" : [
     {
       "alias" : "kdc.admin.credential",
       "principal" : "admin/admin",
       "key" : "admin",
       "type" : "TEMPORARY"
     }
    ]

My question is this... Are the principal and key (password) included above intended to describe new credentials (to be created/used by ambari) or existing credentials previously created by calling something like:

kadmin.local -q "addprinc admin/admin"

It boils down to what KERBEROS configuration is required before using Blueprints to install and configure the cluster. In otherwords, how much of this should be done before creating the cluster via blueprints.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Enable Kerberos via Ambari Blueprint

Expert Contributor
@Tim Veil

Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.

An admin kdc credential can be created by manually executing following command:

kadmin.local -q 'addprinc -pw admin admin/admin'

Other pre-requisites include:

1) Existing and working KDC.

2) Install and configure Kerberos client on Ambari server

3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.

View solution in original post

3 REPLIES 3
Highlighted

Re: Enable Kerberos via Ambari Blueprint

Expert Contributor
@Tim Veil

Ambari will require kerberos admin principal in turn to create principals and keytabs for hadoop services. This is a pre-requisite that needs to be manually done.

An admin kdc credential can be created by manually executing following command:

kadmin.local -q 'addprinc -pw admin admin/admin'

Other pre-requisites include:

1) Existing and working KDC.

2) Install and configure Kerberos client on Ambari server

3) making sure the JCE policies are present on all hosts. This is taken care by ambari if user selects default option of Ambari provisioned JDK while setting up ambari-server. But if user selects custom JDK then user needs to make sure that JCE policies are present on all hosts.

View solution in original post

Highlighted

Re: Enable Kerberos via Ambari Blueprint

Explorer

This was the hint I needed. Here is a link to the Vagrantfile I used to test. It includes both the Kerberos command prerequisites and the Ambari Blueprint with related calls. The key, for me, was ensuring this was run before creating submitting the blueprint.

# make sure Kerberos packages are installed
yum install krb5-libs krb5-server krb5-workstation -y

# modify Kerberos files
sed -i "s/kerberos.example.com/hdp-common-secure.hdp.local/gI" /etc/krb5.conf
sed -i "s/EXAMPLE.COM/hdp.local/gI" /etc/krb5.conf
sed -i "s/#//g" /etc/krb5.conf
sed -i "s/EXAMPLE.COM/hdp.local/gI" /var/kerberos/krb5kdc/kadm5.acl

# create Kerberos database and add principal.  "Bbh2z8HrVx" is my master password
kdb5_util create -s -P Bbh2z8HrVx
kadmin.local -q 'addprinc -pw admin admin/admin' -w Bbh2z8HrVx

# start and enable Kerberos services
systemctl start krb5kdc
systemctl enable krb5kdc
systemctl start kadmin
systemctl enable kadmin

Re: Enable Kerberos via Ambari Blueprint

@Tim Veil you might find this post helpful as a reference, or to integrate into your project:

https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...

Don't have an account?
Coming from Hortonworks? Activate your account here