Set Up Kerberos for Ambari Server
When a cluster is enabled for Kerberos, the component REST endpoints (such as the YARN ATS component) require SPNEGO authentication.
Depending on the Services in your cluster, Ambari Web needs access to these APIs. As well, views such as the Tez View need access to ATS. Therefore, the Ambari Server requires a Kerberos principal in order to authenticate via SPNEGO against these APIs. This section describes how to configure Ambari Server with a Kerberos principal and keytab to allow views to authenticate via SPNEGO against cluster components.
Create a principal in your KDC for the Ambari Server. For example, using kadmin:
addprinc -randkey ambari-server@EXAMPLE.COM
Generate a keytab for that principal.
xst -k ambari.server.keytab ambari-server@EXAMPLE.COM
Place that keytab on the Ambari Server host. Be sure to set the file permissions so the user running the Ambari Server daemon can access the keytab file.
/etc/security/keytabs/ambari.server.keytab
Stop the ambari server.
ambari-server stop
Run the setup-security command.
ambari-server setup-security
Select
3
for Setup Ambari kerberos JAAS configuration.Enter the Kerberos principal name for the Ambari Server you set up earlier.
Enter the path to the keytab for the Ambari principal.
Restart Ambari Server.
ambari-server restart