Cloudera Community
rlevas
user rank
Guru

Re: How to set up kerberos using Ambari

by Guru in Support Questions
‎12-21-2016 10:21 AM
2 Kudos
‎12-21-2016 10:21 AM
2 Kudos
@Jacqualin jasmin The answers to your questions are related to how you set up your KDC. Technically the realm name can be anything, but should at least be in all uppercase characters. Typically realm names match or are similar to domain names. For you, you might use CORP.INFINITY.COM or maybe HADOOP.INFINITY.COM if you wanted to be explicit on the usage of the principals in the realm. It could also be totally random, like MY.REALM. In any case, when filling in the forms in the Enable Kerberos Wizard you would add the following to the domains field in order to create a mapping from the domain names in your cluster to the realm name: corp.infinity.com, .corp.infinity.com The administrator credentials are relative to the accounts in the KDC. Just like any other account in any other system, the user that installs and manages the KDC will create this and have this information. Typically the administrator accounts will have a "/admin" attached to it for various reasons: to easily visually identify this as an administrator account and to easily set the ACLs in the KDC (depending on the KDC you are using). I typically use "admin/admin" as the principal name (with my realm name attached - for example admin/admin@EXAMPLE.COM. But this is all relative and it can also be any account as long as the KDC is set up to use that as an administrator account. For example jjasmin@EXAMPLE.COM. When I use the acronym "KDC", this included generic KDCs like the MIT KDC as well as the an Active Directory. Here is a script the can help install an MIT KDC - this one is for Centos6, but I have them for other Linux flavors as well - install-kdcsh.txt (rename this to install-kdc.sh). This installs an MIT KDC with the realm EXAMPLE.COM and an administrator account with: Principal: admin/admin@EXAMPLE.COM Password: hadoop If you walk through Ambari's Enable Kerberos Wizard, it will prompt you for information it needs. Once complete it will set up the krb5.conf files, create the necessary principals, and distribute the required keytab files. You just need to set up the KDC and provide the details about that - host where the KDC is installed, type of KDC, realm, and administrator credentials. ... View more

Re: CONFIGURE KDC CLIENT FAILING

by Expert Contributor in Support Questions
‎03-03-2017 09:46 AM
‎03-03-2017 09:46 AM
Sami Ahmad, i am also facing the same error and i have successfully installed the kerberos but while kerberos service check , it is giving me the same error as mentioned below and it is not resolved yet. ... View more

Re: Steps to fix Ambari-server & agent expired cer...

by Guru in Community Articles
‎11-29-2016 02:23 PM
‎11-29-2016 02:23 PM
You are correct. It appears that by default Ambari's CA cert is value for 365 days. See https://github.com/apache/ambari/blob/2ad42074f1633c5c6f56cf979bdaa49440457566/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java#L54 private static final String SIGN_SRVR_CRT = "openssl ca -create_serial " + "-out {1}" + File.separator + "{3} -days 365 -keyfile {1}" + File.separator + "{2} -key {0} -selfsign " + "-extensions jdk7_ca -config {1}" + File.separator + "ca.config -batch " + "-infiles {1}" + File.separator + "{5}"; Notice: -days 365 ... View more

Re: Obtaining Kerberos ticket for hdfs user throws...

by Contributor in Support Questions
‎10-16-2016 11:23 PM
‎10-16-2016 11:23 PM
I think this file is generated by ambari. Probably that is why the owner is root. ... View more

Re: Ambari Kerberos - Existing AD

by Guru in Support Questions
‎09-19-2016 03:50 PM
‎09-19-2016 03:50 PM
If the cluster is Kerberized, then some, if not all views, will require that Ambari's Kerberos identity is configured. This is so the views can authenticate to the relevant services. ... View more

Re: failing while installing Kerberos KDC Server

by Guru in Support Questions
‎09-15-2016 01:32 PM
1 Kudo
‎09-15-2016 01:32 PM
1 Kudo
@Sanjib Behera After enabling Kerberos via Ambari, some of the UI's are configured to require Kerberos authentication where others are not. I am not sure why not all of them are changed, but that is the way it is for now. The Hadoop UIs (HDFS, Yarn, etc...), for example, do not have Kerberos enabled by default - though there are directions on how to do it manually. That said, once Kerberos authentication is required by a (web-based) UI, you cannot simply point your web browser at them. There are a few additional steps needed to enabled your the web browser to send Kerberos tokens. Each browser has a different set of instructions on how to do this. See https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM for some instruction on this. However in general you need to do the following: Configure your local machine to communicate with the relevant KDC On your local machine, kinit (or similar facility) as some Kerberos identity Open your web browser (you may need to close and re-open your web browser for it to acknowledge the Kerberos ticket cache) Update the settings in your web browser to enable Kerberos authentication (see the link posted above) Browse to the protected URL ... View more

Re: How to correctly fill out the Ambari Kerberos ...

by Explorer in Community Articles
‎09-14-2016 04:45 PM
‎09-14-2016 04:45 PM
I put my experience with the same here: http://jonmorisissqlblog.blogspot.com/2016/09/hadoop-amabari-integration-with-active.html ... View more

Re: Setup cross realm trust between two MIT KDC

by Master Guru Master Guru in Community Articles
‎08-12-2016 05:17 AM
‎08-12-2016 05:17 AM
@Robert Levas - DEFAULT at the middle worked when I tried this setup. I checked given article and I agree that modifying dfs.namenode.kerberos.principal.pattern was somehow missed while writing this article. I will add that missing step now. Thank you! 🙂 ... View more

Re: Is it recommended to use an existing KDC on an...

by Guru in Support Questions
‎03-24-2017 03:26 PM
‎03-24-2017 03:26 PM
@Eric Hanson I don't have an official opinion on this. It really depends on the available resources. If the cluster is really large, then it may be beneficial to put the KDC on its own VM; but for a small cluster (<15 hosts), that may be a bit overkill and the least utilized host for the KDC maybe sufficient. That said, the workload could be spread out by placing a one or more slave KDCs around the cluster, There is also the option to separate the kadmin and krb5kdc processes to different hosts - though this is more for security concerns than for performance or resource concerns. One thing to keep in mind. For Ambari server versions 2.5.0 and below, it appears that the cluster does an abnormal amount of kinit's. This is currently being looked into. So far, it is unclear whether this is a bug, expected behavior, or something in between. The effect of this issue on a small cluster is minimal and not noticeable over a short period of time. On a large cluster (say 900 nodes), the Kerberos log files tend to get large quickly. Performance of the KDC on such a cluster, even when the KDC exists on a host with Hadoop services, does not appear to be affected. The main issue is merely log file size. However, if an issue is found and fixed, less kinit's couldn't hurt. 🙂 ... View more

Re: Is there a recommended architecture/methods to...

by Guru in Support Questions
‎07-26-2016 01:59 PM
‎07-26-2016 01:59 PM
Another source for master/slave configuration is https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html ... View more
Contact Me
Online
Offline
Last Visited
‎08-09-2019 12:22 AM
Community Statistics
Member Since ‎09-29-2015 12:39 AM
Last Visited ‎08-09-2019 12:22 AM
Posts 362
Kudos received 242