When a cluster is enabled for Kerberos, the component REST endpoints (such as the YARN ATS component) require SPNEGO authentication.
Depending on the Services in your cluster, Ambari Web needs access to these APIs. As well, views such as the Jobs View and the Tez View need access to ATS. Therefore, the Ambari Server requires a Kerberos principal in order to authenticate via SPNEGO against these APIs. This section describes how to configure Ambari Server with a Kerberos principal and keytab to allow views to authenticate via SPNEGO against cluster components.
Create a principal in your KDC for the Ambari Server. For example, using kadmin:
addprinc -randkey ambari-server@EXAMPLE.COM
Generate a keytab for that principal.
xst -k ambari.server.keytab ambari-server@EXAMPLE.COM
Place that keytab on the Ambari Server host.
/etc/security/keytabs/ambari.server.keytab
Stop the ambari server.
ambari-server stop
Run the setup-security command.
ambari-server setup-security
Select
3
for Setup Ambari kerberos JAAS configuration.Enter the Kerberos principal name for the Ambari Server you set up earlier.
Enter the path to the keytab for the Ambari principal.
Restart Ambari Server.
ambari-server restart