Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Remove kerberos credentials via an API for deleted cluster hosts

Remove kerberos credentials via an API for deleted cluster hosts

Explorer

Cloudera Enterprise 5.8.3

Following a cluster deletion, old Kerberos credentials remain for service principals on non-existent hosts. I am looking for an automated way to cleardown these credentials as they cause problems on new cluster builds when the IP addresses are re-used. I know how that I can clear them in Cloudera Manager->Administration->Security->Kerberos Credentials by selecting and regenerating (at which time they disappear) but I'm searching for either an Ansible or Python automation for the same.

4 REPLIES 4

Re: Remove kerberos credentials via an API for deleted cluster hosts

Champion

@JohnButcher

 

You have to login to your linux box where you have installed kerberos server (krb5-server) and run the following commands:

 

## To login to kerberos

$kadmin.local

 

## For help

: ?

 

## To list all the available principals

:list_principals

 

## To Delete a particular principal
:delete_principal  <principal name>


:quit

 

Just follow the above steps, Mostly this is a one time work, so I would recommend you to not spend time on automation

 

Re: Remove kerberos credentials via an API for deleted cluster hosts

Champion
What is listed in the Cloudera Manager->Administration->Security->Kerberos Credentials is what was created or found on the KDC you set up for CM. I don't know if the information is also stored in the CM database as well. If you didn't delete the principal manually from the KDC when you remove the old hosts then what probably just happened was that CM deleted it from the KDC for you (if it has the access to do so). Otherwise, the principal was gone already and there was just a reference in the CM DB.

You could script something up to clear out the principals from the KDC. You may still need to regenerate from CM to get them remove their unless you want to mess with the CM DB, which I do not recommend.

Re: Remove kerberos credentials via an API for deleted cluster hosts

Explorer

Thanks for both responses.

 

The KDC is Windows AD. I have scripts to clear down the principals for the cluster nodes and services for when I remove the clusters. However I still see the principals listed in CM so it must be in its database. If I don't clear these down in the CM GUI then I get errors if a new cluster re-uses some of the IP addresses. The quickest way for me to clear these is to stop all clusters and MGMT services on the CM and regenerate the lot - then it deletes all the principals for non-existent nodes. I'm looking for a scripted way of selectively clearing down a lot of principals listed in CM for non-existent nodes - so that I don't have to stop everything else prior to creating a new cluster. Its also desirable as a scripted solution so I can do automated lights-out cluster builds overnight.

Re: Remove kerberos credentials via an API for deleted cluster hosts

Explorer

I have found a table in the SCM DB called "CREDENTIALS" which has a column called "PRINCIPAL". The list corresponds exactly with what I see on the CM web page. Have tested deleting rows from this table and they do indeed disappear from the web page. This may be all I need to selectively delete credentials for nodes that are already terminated for which the principals have also already been removed.