Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

Labels:
avatar
author-rank ajitpsonawane
Explorer

Created ‎07-17-2017 10:45 AM

Hi All,

We are trying to kerberize cluster using Centirfy with pre created AD Accounts and Keytabs . So far we are able kerberize with following approach.

  • Generate computer account in AD and centrify using APIs. [We can access AD or Centrify only through APIs].
  • Do “adjoin” after creating computer accounts in AD and CENTRIFY.
  • Create principals and keytabs for user and services in AD/Centrify
  • Place user and service keytabs on respective hosts in /etc/security/keytabs
  • From Ambari UI, Enable Security -> Existing Active Directory

But in reaches to point till creation of principal and gets failed. So, Is there any procedure which can skip procedure of "create principal" and "create keytabs", as it is already created and placed at respective hosts.

2,329 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎07-17-2017 03:13 PM

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

View solution in original post

1,964 Views
0 Kudos
4 REPLIES 4

avatar
author-rank rlevas
Guru

Created ‎07-17-2017 03:13 PM

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

1,965 Views
0 Kudos

avatar
author-rank ajitpsonawane
Explorer

Created ‎07-23-2017 05:48 PM

Thanks Robert for your quick reply.

Is there any REST API or Ambari Blueprint option which supports "Manual " way of kerberization.

1,964 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎07-24-2017 09:16 AM

You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:

kerberos-env/kdc_type = "none"
kerberos-env/manage_identities = false
kerberos-env/install_packages = false
krb5-conf/manage_krb5_conf = false

Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.

See https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.m... for more information on using the API to enable Kerberos.

1,964 Views

avatar
author-rank ajitpsonawane
Explorer

Created ‎09-19-2017 07:45 AM

Thanks @Robert Levas, problem solved with your solution.

1,964 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements