Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to set up kerberos using Ambari

Labels:
avatar
author-rank Jacqueline
Contributor

Created on ‎12-21-2016 07:29 AM - edited ‎09-16-2022 03:51 AM

Hi

I am trying to setup Kerberos using Ambari 2.2.2.0.

in the GUI Wizard ,

1) Under KDC

What should be the

Realm name , if my hostname are as mentioned below

and

Domains : if my hostname are as mentioned below

2) Under kadmin

What Should be

Admin Principal

Admin Password

----------

below are the host name convesion for my company

  1. tx1dra001.corp.infinity.com
  2. tx1dra002.corp.infinity.com
  3. tx1dra003.corp.infinity.com
  4. tx1dra004.corp.infinity.com
  5. .........

Does the values like realm name , Domains , Admin Prinicipal and Admin password , should first set in /etc/krb5.conf file ?

Also do in need to create Admin Principal user , before , so as to mention it under kadmin option of ambari ?

2,967 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎12-21-2016 10:21 AM

@Jacqualin jasmin

The answers to your questions are related to how you set up your KDC. Technically the realm name can be anything, but should at least be in all uppercase characters. Typically realm names match or are similar to domain names. For you, you might use CORP.INFINITY.COM or maybe HADOOP.INFINITY.COM if you wanted to be explicit on the usage of the principals in the realm. It could also be totally random, like MY.REALM. In any case, when filling in the forms in the Enable Kerberos Wizard you would add the following to the domains field in order to create a mapping from the domain names in your cluster to the realm name:

corp.infinity.com, .corp.infinity.com

The administrator credentials are relative to the accounts in the KDC. Just like any other account in any other system, the user that installs and manages the KDC will create this and have this information. Typically the administrator accounts will have a "/admin" attached to it for various reasons: to easily visually identify this as an administrator account and to easily set the ACLs in the KDC (depending on the KDC you are using). I typically use "admin/admin" as the principal name (with my realm name attached - for example admin/admin@EXAMPLE.COM. But this is all relative and it can also be any account as long as the KDC is set up to use that as an administrator account. For example jjasmin@EXAMPLE.COM.

When I use the acronym "KDC", this included generic KDCs like the MIT KDC as well as the an Active Directory.

Here is a script the can help install an MIT KDC - this one is for Centos6, but I have them for other Linux flavors as well - install-kdcsh.txt (rename this to install-kdc.sh). This installs an MIT KDC with the realm EXAMPLE.COM and an administrator account with:

Principal: admin/admin@EXAMPLE.COM

Password: hadoop

If you walk through Ambari's Enable Kerberos Wizard, it will prompt you for information it needs. Once complete it will set up the krb5.conf files, create the necessary principals, and distribute the required keytab files. You just need to set up the KDC and provide the details about that - host where the KDC is installed, type of KDC, realm, and administrator credentials.

View solution in original post

Preview file
2 KB
2,089 Views
4 REPLIES 4

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-21-2016 07:44 AM

The following article will explain everything . Hope that will answer most of your queries:

https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...

2,089 Views

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-21-2016 07:50 AM

Regarding: Does the values like realm name , Domains , Admin Prinicipal and Admin password , should first set in /etc/krb5.conf file ?

>>>> When you install the KDC server then after that we edit the file "/etc/krb5.conf" and add the inforamtion about the KDC: Example:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = node1.example.com
  admin_server = node1.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

So in your case int he Ambari UI wizard you will need to specify the same KDC host and the Realm name (domain name is optional but better to define)

Regarding: Also do in need to create Admin Principal user , before , so as to mention it under kadmin option of ambari ?

Yes, Kerberos principals can be created either on theKDCmachine itself or through the network, using an "admin" principal. 

# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM":  admin!
Re-enter password for principal "admin/admin@EXAMPLE.COM":  admin!
Principal "admin/admin@EXAMPLE.COM" created.

.

2,089 Views

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎12-21-2016 08:01 AM

Jacqualin jasmin

The following link has Screenshots of the kerberos setup along with the KDC setup instructions that might be helpful:

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-kerberos-Ambari-services.md#setup-...

2,089 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎12-21-2016 10:21 AM

@Jacqualin jasmin

The answers to your questions are related to how you set up your KDC. Technically the realm name can be anything, but should at least be in all uppercase characters. Typically realm names match or are similar to domain names. For you, you might use CORP.INFINITY.COM or maybe HADOOP.INFINITY.COM if you wanted to be explicit on the usage of the principals in the realm. It could also be totally random, like MY.REALM. In any case, when filling in the forms in the Enable Kerberos Wizard you would add the following to the domains field in order to create a mapping from the domain names in your cluster to the realm name:

corp.infinity.com, .corp.infinity.com

The administrator credentials are relative to the accounts in the KDC. Just like any other account in any other system, the user that installs and manages the KDC will create this and have this information. Typically the administrator accounts will have a "/admin" attached to it for various reasons: to easily visually identify this as an administrator account and to easily set the ACLs in the KDC (depending on the KDC you are using). I typically use "admin/admin" as the principal name (with my realm name attached - for example admin/admin@EXAMPLE.COM. But this is all relative and it can also be any account as long as the KDC is set up to use that as an administrator account. For example jjasmin@EXAMPLE.COM.

When I use the acronym "KDC", this included generic KDCs like the MIT KDC as well as the an Active Directory.

Here is a script the can help install an MIT KDC - this one is for Centos6, but I have them for other Linux flavors as well - install-kdcsh.txt (rename this to install-kdc.sh). This installs an MIT KDC with the realm EXAMPLE.COM and an administrator account with:

Principal: admin/admin@EXAMPLE.COM

Password: hadoop

If you walk through Ambari's Enable Kerberos Wizard, it will prompt you for information it needs. Once complete it will set up the krb5.conf files, create the necessary principals, and distribute the required keytab files. You just need to set up the KDC and provide the details about that - host where the KDC is installed, type of KDC, realm, and administrator credentials.

Preview file
2 KB
2,090 Views
Announcements
What's New @ Cloudera
Cloudera Operational Database supports assigning ODAdmin rol...
What's New @ Cloudera
Security-Enhanced Linux (SELinux) support in Cloudera Operat...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
View More Announcements