The Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC.
Important | |
---|---|
Since Ambari will automatically create principals in the KDC and generate keytabs, you must have Kerberos Admin Account credentials available when running the wizard. |
High-Level View of Principal Creation, Keytab Generation, and Distribution Flow
Launching the Kerberos Wizard
Be sure you've Installed and Configured your KDC and have prepared the JCE on each host in the cluster.
Log in to Ambari Web and Browse to
Admin > Kerberos
.Click “Enable Kerberos” to launch the wizard.
Select the type of KDC you are using and confirm you have met the prerequisites.
Provide information about the KDC and admin account.
Proceed with the install. (Optional) To manage your Kerberos client krb5.conf manually (and not have Ambari manage the krb5.conf), expand the Advanced krb5-conf section and uncheck the "Manage" option. (Optional) If you need to customize the attributes for the principals Ambari will create, see the Customizing the Attribute Template for more information.
Ambari will install Kerberos clients on the hosts and test access to the KDC by testing that Ambari can create a principal, generate a keytab and distribute that keytab.
Customize the Kerberos identities used by Hadoop and proceed to kerberize the cluster.
Note Pay particular attention to the Ambari principal names. For example, if you want the Ambari Smoke User Principal name to be unique and include the cluster name , you can append
${cluster_name}
to the identity setting.${cluster-env/smokeuser}-${cluster_name}@{realm}
After principals have been created and keytabs have been generated and distributed, Ambari updates the cluster configurations, then starts and tests the Services in the cluster.
Note | |
---|---|
If you cluster includes Storm, after enabling Kerberos, you must also Set Up Ambari for Kerberos for storm Service Summary information to be displayed in Ambari Web. Otherwise, you will see n/a for Storm information such as Slots, Tasks, Executors and Topologies. |