Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

Labels:
avatar
author-rank ajitpsonawane
Explorer

Created ‎07-17-2017 10:45 AM

Hi All,

We are trying to kerberize cluster using Centirfy with pre created AD Accounts and Keytabs . So far we are able kerberize with following approach.

  • Generate computer account in AD and centrify using APIs. [We can access AD or Centrify only through APIs].
  • Do “adjoin” after creating computer accounts in AD and CENTRIFY.
  • Create principals and keytabs for user and services in AD/Centrify
  • Place user and service keytabs on respective hosts in /etc/security/keytabs
  • From Ambari UI, Enable Security -> Existing Active Directory

But in reaches to point till creation of principal and gets failed. So, Is there any procedure which can skip procedure of "create principal" and "create keytabs", as it is already created and placed at respective hosts.

1,824 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎07-17-2017 03:13 PM

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

View solution in original post

1,459 Views
0 Kudos
4 REPLIES 4

avatar
author-rank rlevas
Guru

Created ‎07-17-2017 03:13 PM

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

1,460 Views
0 Kudos

avatar
author-rank ajitpsonawane
Explorer

Created ‎07-23-2017 05:48 PM

Thanks Robert for your quick reply.

Is there any REST API or Ambari Blueprint option which supports "Manual " way of kerberization.

1,459 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎07-24-2017 09:16 AM

You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:

kerberos-env/kdc_type = "none"
kerberos-env/manage_identities = false
kerberos-env/install_packages = false
krb5-conf/manage_krb5_conf = false

Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.

See https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.m... for more information on using the API to enable Kerberos.

1,459 Views

avatar
author-rank ajitpsonawane
Explorer

Created ‎09-19-2017 07:45 AM

Thanks @Robert Levas, problem solved with your solution.

1,459 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements