when we kerberized cluster from ambari we see keytabs are generated automatically for the user , we do not provide any password but ambari does , I want to know how does ambari does this .
for e.g if I have user for whom i want to generate keytab I will do the following steps :
kadmin.local: addprinc user1@TEST.COM
WARNING:no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM": // here we are providing the password but when ambari does the same for the service user like hdfs what password does it set and how it does the same ? is there some script in the server which enables the same.
Re-enter password for principal "user1@TEST.COM":
When you are kerberizing the cluster through Ambari you MUST first provide an admin principal and password which you created after creating your KDC databases
# kdb5_util create -s
You are then required to create an admin principal and password
# kadmin.local -q "addprinc admin/admin"
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
This the input requested when kerberizing through Ambari it will ask for
Only after passing the correct values on the Enable Kerberos UI that you can proceed to generate successfully the keytabs. So to answer your question the Ambari picks your decrypts your admin password against the KDC private key and the allows you to generate the keytabs.
See attached screenshot illustration
Thanks for the reply !!!
but i was interested in knowing what password ambari use for the service like hdfs , hbase etc . Providing the admin password allows amabri to generate keytabs for the service user but internally it would be using some password at service level .
The passwords generated randomly and encrypted using the supported encryption algorithms like fingerprints which are checked against the KDC databases for validity when you run the kinit.