Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

mysql kerberos

mysql kerberos

Expert Contributor

I have internal mysql (ambari is not aware of it), this mysql will be used for oozie service. when we enable kerberos. will ambari create keytab entries for mysql? if not how do we create it manually?

3 REPLIES 3
Highlighted

Re: mysql kerberos

Rising Star

@Raja Sekhar Chintalapati

"will ambari create keytab entries for mysql?"

As far as i remember answer for this is no.

if not how do we create it manually?

You haven't given much context on this but if you really wanna create it manually, you can do it using kadmin command (more details) .

Re: mysql kerberos

Ambari does not manage Kerberos identities that it does not know about. However you can update the Kerberos Descriptor to get it to do so. Else you can use the KDC's management facility create the account and the keytab file.

Assuming your KDC is the MIT KDC, you can use kdamin or kadmin.local command line utility to create the account and export the keytab file. See http://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/kadmin_local.html.

The needed commands are "add_principal" and "xst":

root@c6401 ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  add_principal -randkey user
WARNING: no policy specified for user@EXAMPLE.COM; defaulting to no policy
Principal "user@EXAMPLE.COM" created.
kadmin.local:  xst -k /etc/security/keytabs/user.keytab user
Entry for principal user with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/user.keytab.
Entry for principal user with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/user.keytab.
Entry for principal user with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/keytabs/user.keytab.
Entry for principal user with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/user.keytab.
Entry for principal user with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/keytabs/user.keytab.
Entry for principal user with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/keytabs/user.keytab.
kadmin.local:  exit

You will then need to distribute this keytab file to the appropriate hosts.

Editing the Kerberos Descriptor isn't hard, but requires to you get a hold of it from the database, edit it, and then put it back. Getting and setting the data can be done via the REST API, editing the data requires a text editor. Docs to help you do this can be found at

However in a nutshell you need to do the following:

Get the current user-defined Kerberos Descriptor

GET /api/v1/clusters/:CLUSTER_NAME/artifacts/kerberos_descriptor

Example, storing retrieved data in kerberos_descriptor.json:

curl -u admin:admin -o kerberos_descriptor.json -X GET http://localhost:8080/api/v1/clusters/c1/artifacts/kerberos_descriptor

Edit the user-defined Kerberos Descriptor

  • Remove the "href" item
  • Remove the "Artifacts" block
  • Leave the "artifact_data: block
  • Add the MySQL identity descriptor somewhere, probably under the Oozie service
{
  "principal": {
    "type": "user",
    "value": "mysql_user@${realm}"
  },
  "name": "oozie_server_mysql",
  "keytab": {
    "file": "${keytab_dir}/oozie.mysql.keytab",
    "owner": {
      "access": "r",
      "name": "${oozie-env/oozie_user}"
    },
    "group": {
      "access": "",
      "name": "${cluster-env/user_group}"
    }
  }
}

Set the updated user-defined Kerberos Descriptor

PUT /api/v1/clusters/:CLUSTER_NAME/artifacts/kerberos_descriptor

Example

curl -H "X-Requested-By:ambari" -u admin:admin -d @kerberos_descriptor.json -X PUT http://localhost:8080/api/v1/clusters/c1/artifacts/kerberos_descriptor

Regenerate (missing) Keytab files

Re: mysql kerberos

You don't need any princs/keytabs for Oozie database, the only principal you need for Oozie is oozie/oozie_server_fqdn@REALM and it will be created by the Kerberos wizard you select to use.

Don't have an account?
Coming from Hortonworks? Activate your account here