Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

how does ambari set password while creating keytab for the service user like hdfs , hbase , hive ..etc

avatar

when we kerberized cluster from ambari we see keytabs are generated automatically for the user , we do not provide any password but ambari does , I want to know how does ambari does this .

for e.g if I have user for whom i want to generate keytab I will do the following steps :

kadmin.local: addprinc user1@TEST.COM

WARNING:no policy specified for user1@TEST.COM; defaulting to no policy

Enter password for principal "user1@TEST.COM": // here we are providing the password but when ambari does the same for the service user like hdfs what password does it set and how it does the same ? is there some script in the server which enables the same.

Re-enter password for principal "user1@TEST.COM":

Principal"user1@TEST.COM" created.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Anurag Mishra

If the response answered your question can you take time an login and "Accept" the answer and close the thread so other members can use it as a solution

View solution in original post

5 REPLIES 5

avatar
Master Mentor

@Anurag Mishra

When you are kerberizing the cluster through Ambari you MUST first provide an admin principal and password which you created after creating your KDC databases

# kdb5_util create -s

You are then required to create an admin principal and password

# kadmin.local -q "addprinc admin/admin"

The warning

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:

This the input requested when kerberizing through Ambari it will ask for

root/admin@{REALM} /password 

Only after passing the correct values on the Enable Kerberos UI that you can proceed to generate successfully the keytabs. So to answer your question the Ambari picks your decrypts your admin password against the KDC private key and the allows you to generate the keytabs.

Hortonworks Kerberos document

See attached screenshot illustration

HTH


kdc.jpg

avatar

Geoffrey Shelton Okot

Thanks for the reply !!!

but i was interested in knowing what password ambari use for the service like hdfs , hbase etc . Providing the admin password allows amabri to generate keytabs for the service user but internally it would be using some password at service level .

avatar

AFAIK, A random password is set for all the principals (hdfs , hbase , hive ..etc) .

avatar
Master Mentor

@Anurag Mishra

The passwords generated randomly and encrypted using the supported encryption algorithms like fingerprints which are checked against the KDC databases for validity when you run the kinit.

HTH

avatar
Master Mentor

@Anurag Mishra

If the response answered your question can you take time an login and "Accept" the answer and close the thread so other members can use it as a solution