4. Enabling Kerberos Security
Whether you choose automated or manual Kerberos setup, Ambari provides a wizard to help with enabling Kerberos in the cluster. This section provides information on preparing Ambari before running the wizard, and the steps to run the wizard.
Important Prerequisites for enabling Kererbos are having the JCE installed on all hosts on the cluster (including the Ambari Server) and having the Ambari Server host as part of the cluster. This means the Ambari Server host should be running an Ambari Agent.
You should also create mappings between principals and UNIX user names. Creating mappings can help resolve access issues related to case mismatches between principal and local user names.
If you are running HDP 2.5, do not have any Technical Preview services or features enabled or running prior to enabling Kerberos. You must disable the Technical Preview feature or remove the Technical Preview service. For example, disable Hive LLAP and stop the Hive Server Interactive component. Refer to the Ambari 2.4.0.1 Release Notes for information on Technical Preview services and features.
Note | |
---|---|
Ambari Metrics will not be secured with Kerberos unless it is configured for distributed metrics storage. By default, it uses embedded metrics storage and will not be secured as part of the Kerberos Wizard. If you wish to have Ambari Metrics secured with Kerberos, please see this topic to enable distributed metrics storage prior to running the Kerberos Wizard. |
Note | |
---|---|
If Centrify is installed and and being used on any of the servers in the cluster, it is critical that you refer to Centrify's integration guide before attempting to enable Kerberos Security on your cluster. The documentation can be found in the Centrify Server Suite documentation library, with a direct link to the Hortonworks specific PDF here. |