Support Questions

dsun · ‎03-02-2017

Once a cluster is Kerberized through the Ambari Kerberos Wizard, how can I review or potentially make changes to the settings, such as KDC server, LDAP URL, admin principal & etc., at a later time? It appears the only option is to disable Kerberos and go through the Kerberos Wizard again.

rlevas · ‎03-02-2017

@dsun

Most, if not all of the MIT KDC related properties are editable and viewable in the Kerberos Service configuration page. However some of the Active Directory related properties are not. I keep meaning to file a bug report for this. I think the most obvious deficiency is the lack of the ability to chance the Kerberos-specific LDAP details for the configured Active Directory.

In any case, these properties can be updated via the command line using Ambari's configs.py script. This can be found at /var/lib/ambari-server/resources/scripts/configs.py.

# /var/lib/ambari-server/resources/scripts/configs.py --help
Usage: configs.py [options]

Options:
  -h, --help            show this help message and exit
  -t PORT, --port=PORT  Optional port number for Ambari server. Default is
                        '8080'. Provide empty string to not use port.
  -s PROTOCOL, --protocol=PROTOCOL
                        Optional support of SSL. Default protocol is 'http'
  -a ACTION, --action=ACTION
                        Script action: <get>, <set>, <delete>
  -l HOST, --host=HOST  Server external host name
  -n CLUSTER, --cluster=CLUSTER
                        Name given to cluster. Ex: 'c1'
  -c CONFIG_TYPE, --config-type=CONFIG_TYPE
                        One of the various configuration types in Ambari. Ex:
                        core-site, hdfs-site, mapred-queue-acls, etc.


  To specify credentials please use "-e" OR "-u" and "-p'":
    -u USER, --user=USER
                        Optional user ID to use for authentication. Default is
                        'admin'
    -p PASSWORD, --password=PASSWORD
                        Optional password to use for authentication. Default
                        is 'admin'
    -e CREDENTIALS_FILE, --credentials-file=CREDENTIALS_FILE
                        Optional file with user credentials separated by new
                        line.


  To specify property(s) please use "-f" OR "-k" and "-v'":
    -f FILE, --file=FILE
                        File where entire configurations are saved to, or read
                        from. Supported extensions (.xml, .json>)
    -k KEY, --key=KEY   Key that has to be set or deleted. Not necessary for
                        'get' action.
    -v VALUE, --value=VALUE
                        Optional value to be set. Not necessary for 'get' or
                        'delete' actions.

For example, if you wanted to view the current set of properties in the kerberos-env configuration (where most of the KDC configuration values exist) in a cluster named c1 in and Ambari server running on localhost, you would issue the following command:

/var/lib/ambari-server/resources/scripts/configs.py --host=localhost --port=8080 --user=admin --password=admin --cluster=c1 --action=get --config-type=kerberos-env

If you wanted to update or set a property, like the LDAP URL, you would issue a command like

# /var/lib/ambari-server/resources/scripts/configs.py --host=localhost --port=8080 --user=admin --password=admin --cluster=c1 --action=set --config-type=kerberos-env --key=ldap_url --value="ldaps://newhost.example.com:636"
2017-03-02 21:08:39,407 INFO ### Performing "set":
2017-03-02 21:08:39,407 INFO ### new property - "ldap_url":"ldaps://newhost.example.com:636"
2017-03-02 21:08:39,435 INFO ### on (Site:kerberos-env, Tag:version1488487426247)
2017-03-02 21:08:39,451 INFO ### PUTting json into: doSet_version1488488919451669.json
2017-03-02 21:08:39,510 INFO ### NEW Site:kerberos-env, Tag:version1488488919451669

As for setting the administrator credentials, if you created the credential store and choose to save the administrator credentials, you can go to the Kerberos Administrator page (Admin menu -> Kerberos) and click on the "Manage Credentials" button (I think that is the label on the button). Else, the temporary administrator credential will time out after about 90 minutes or if Ambari is restarted. You will then be prompted to set it when performing a Kerberos-related operation.

View solution in original post

rlevas · ‎03-02-2017

@dsun

Most, if not all of the MIT KDC related properties are editable and viewable in the Kerberos Service configuration page. However some of the Active Directory related properties are not. I keep meaning to file a bug report for this. I think the most obvious deficiency is the lack of the ability to chance the Kerberos-specific LDAP details for the configured Active Directory.

In any case, these properties can be updated via the command line using Ambari's configs.py script. This can be found at /var/lib/ambari-server/resources/scripts/configs.py.

# /var/lib/ambari-server/resources/scripts/configs.py --help
Usage: configs.py [options]

Options:
  -h, --help            show this help message and exit
  -t PORT, --port=PORT  Optional port number for Ambari server. Default is
                        '8080'. Provide empty string to not use port.
  -s PROTOCOL, --protocol=PROTOCOL
                        Optional support of SSL. Default protocol is 'http'
  -a ACTION, --action=ACTION
                        Script action: <get>, <set>, <delete>
  -l HOST, --host=HOST  Server external host name
  -n CLUSTER, --cluster=CLUSTER
                        Name given to cluster. Ex: 'c1'
  -c CONFIG_TYPE, --config-type=CONFIG_TYPE
                        One of the various configuration types in Ambari. Ex:
                        core-site, hdfs-site, mapred-queue-acls, etc.


  To specify credentials please use "-e" OR "-u" and "-p'":
    -u USER, --user=USER
                        Optional user ID to use for authentication. Default is
                        'admin'
    -p PASSWORD, --password=PASSWORD
                        Optional password to use for authentication. Default
                        is 'admin'
    -e CREDENTIALS_FILE, --credentials-file=CREDENTIALS_FILE
                        Optional file with user credentials separated by new
                        line.


  To specify property(s) please use "-f" OR "-k" and "-v'":
    -f FILE, --file=FILE
                        File where entire configurations are saved to, or read
                        from. Supported extensions (.xml, .json>)
    -k KEY, --key=KEY   Key that has to be set or deleted. Not necessary for
                        'get' action.
    -v VALUE, --value=VALUE
                        Optional value to be set. Not necessary for 'get' or
                        'delete' actions.

For example, if you wanted to view the current set of properties in the kerberos-env configuration (where most of the KDC configuration values exist) in a cluster named c1 in and Ambari server running on localhost, you would issue the following command:

/var/lib/ambari-server/resources/scripts/configs.py --host=localhost --port=8080 --user=admin --password=admin --cluster=c1 --action=get --config-type=kerberos-env

If you wanted to update or set a property, like the LDAP URL, you would issue a command like

# /var/lib/ambari-server/resources/scripts/configs.py --host=localhost --port=8080 --user=admin --password=admin --cluster=c1 --action=set --config-type=kerberos-env --key=ldap_url --value="ldaps://newhost.example.com:636"
2017-03-02 21:08:39,407 INFO ### Performing "set":
2017-03-02 21:08:39,407 INFO ### new property - "ldap_url":"ldaps://newhost.example.com:636"
2017-03-02 21:08:39,435 INFO ### on (Site:kerberos-env, Tag:version1488487426247)
2017-03-02 21:08:39,451 INFO ### PUTting json into: doSet_version1488488919451669.json
2017-03-02 21:08:39,510 INFO ### NEW Site:kerberos-env, Tag:version1488488919451669

As for setting the administrator credentials, if you created the credential store and choose to save the administrator credentials, you can go to the Kerberos Administrator page (Admin menu -> Kerberos) and click on the "Manage Credentials" button (I think that is the label on the button). Else, the temporary administrator credential will time out after about 90 minutes or if Ambari is restarted. You will then be prompted to set it when performing a Kerberos-related operation.

dsun · ‎03-02-2017

Thanks Robert for the information. configs.py helped, I agree it would be nice if we could edit KDC, DN, LDAP URL & etc. in Ambari.

rlevas · ‎03-02-2017

I am glad the configs.py worked for you. I had issues getting it to work properly in Ambari 2.4.2.

rlevas · ‎03-02-2017

Note: the config.py example is for the new (currently unreleased) Ambari 2.5.0. For older versions of Ambari, use the config.sh script at /var/lib/ambari-server/resources/scripts/configs.sh. For example:

/var/lib/ambari-server/resources/scripts/configs.sh -u admin -p admin -port 8080 get localhost c1 kerberos-env

To set a configuration property, issue a command like

/var/lib/ambari-server/resources/scripts/configs.sh -u admin -p admin -port 8080 set localhost c1 kerberos-env ldap_url "ldaps://newhost.example.com:636"

Sorry for any confusion I may have caused.

P_ · ‎01-31-2020

There are properties that are set under both - service level configurations and under Admin -- Kerberos configurations, such as yarn.admin.acl

What if the two properties point to different values, which properties does the service pick when required?

Cloudera Community

Support Questions

How to review Kerberos settings In Ambari