Cloudera Enterprise 5.8.3
Following a cluster deletion, old Kerberos credentials remain for service principals on non-existent hosts. I am looking for an automated way to cleardown these credentials as they cause problems on new cluster builds when the IP addresses are re-used. I know how that I can clear them in Cloudera Manager->Administration->Security->Kerberos Credentials by selecting and regenerating (at which time they disappear) but I'm searching for either an Ansible or Python automation for the same.
You have to login to your linux box where you have installed kerberos server (krb5-server) and run the following commands:
## To login to kerberos
## For help
## To list all the available principals
## To Delete a particular principal
:delete_principal <principal name>
Just follow the above steps, Mostly this is a one time work, so I would recommend you to not spend time on automation
Thanks for both responses.
The KDC is Windows AD. I have scripts to clear down the principals for the cluster nodes and services for when I remove the clusters. However I still see the principals listed in CM so it must be in its database. If I don't clear these down in the CM GUI then I get errors if a new cluster re-uses some of the IP addresses. The quickest way for me to clear these is to stop all clusters and MGMT services on the CM and regenerate the lot - then it deletes all the principals for non-existent nodes. I'm looking for a scripted way of selectively clearing down a lot of principals listed in CM for non-existent nodes - so that I don't have to stop everything else prior to creating a new cluster. Its also desirable as a scripted solution so I can do automated lights-out cluster builds overnight.
I have found a table in the SCM DB called "CREDENTIALS" which has a column called "PRINCIPAL". The list corresponds exactly with what I see on the CM web page. Have tested deleting rows from this table and they do indeed disappear from the web page. This may be all I need to selectively delete credentials for nodes that are already terminated for which the principals have also already been removed.