Support Questions

Find answers, ask questions, and share your expertise

What is the lifecycle of users created with Ambari in AD - removal/(re-)creation?

avatar
Super Collaborator
 
1 ACCEPTED SOLUTION

avatar

Creation: Users are created in AD upon initial kerberization, as well as adding services, or hosts to the cluster. A test principal is created during the wizard to test the kerberos client configuration and operations, as well as all of the appropriate principals for the services that are deployed in the cluster. During that process, passwords are generated and set in Active Directory. Those passwords are not permanently stored in Ambari and are only used for keytab generation.

Update: Post-wizard completion, the principal regeneration process will regenerate and set those passwords in AD.

Deletion: During removal of services, or hosts, or disabling kerberos, the appropriate principals are removed from AD.

View solution in original post

3 REPLIES 3

avatar

Creation: Users are created in AD upon initial kerberization, as well as adding services, or hosts to the cluster. A test principal is created during the wizard to test the kerberos client configuration and operations, as well as all of the appropriate principals for the services that are deployed in the cluster. During that process, passwords are generated and set in Active Directory. Those passwords are not permanently stored in Ambari and are only used for keytab generation.

Update: Post-wizard completion, the principal regeneration process will regenerate and set those passwords in AD.

Deletion: During removal of services, or hosts, or disabling kerberos, the appropriate principals are removed from AD.

avatar
Super Collaborator

This is prime RunBook material!

avatar

I'll work on getting this and the password creation methods into the docs ASAP.