Apache Ambari Security
Also available as:
PDF
loading table of contents...

Launching the Kerberos Wizard (Automated Setup)

  1. Be sure you have Installed and Configured your KDC and have prepared the JCE on each host in the cluster.

  2. Log in to Ambari Web and Browse to Admin > Kerberos.

  3. Click “Enable Kerberos” to launch the wizard.

  4. Select the type of KDC you are using and confirm you have met the prerequisites.

  5. Provide information about the KDC and admin account.

    1. In the KDC section, enter the following information:

      • In the KDC Host field, the IP address or FQDN for the KDC host. Optionally a port number may be included.

      • In the Realm name field, the default realm to use when creating service principals.

      • (Optional) In the Domains field, provide a list of patterns to use to map hosts in the cluster to the appropriate realm. For example, if your hosts have a common domain in their FQDN such as host1.hortonworks.local and host2.hortonworks.local, you would set this to:

        .hortonworks.local,hortonworks.local

    2. In the Kadmin section, enter the following information:

      • In the Kadmin Host field, the IP address or FQDN for the KDC administrative host. Optionally a port number may be included.

      • The Admin principal and password that will be used to create principals and keytabs.

      • (Optional) If you have configured Ambari for encrypted passwords, the Save Admin Credentials option will be enabled. With this option, you can have Ambari store the KDC Admin credentials to use when making cluster changes. Refer to Managing Admin Credentials for more information on this option.

  6. Modify any advanced Kerberos settings based on your environment.

    1. (Optional) To manage your Kerberos client krb5.conf manually (and not have Ambari manage the krb5.conf), expand the Advanced krb5-conf section and uncheck the "Manage" option. You must have the krb5.conf configured on each host.

      [Note]Note

      When manually managing the krb5.conf it is recommended to ensure that DNS is not used for looking up KDC, and REALM entries. Relying on DNS can cause negative performance, and functional impact. To ensure that DNS is not used, ensure the following entries are set in the libdefaults section of your configuration.

      [libdefaults]
      dns_lookup_kdc = false
      dns_lookup_realm = false
    2. (Optional) to configure any additional KDC's to be used for this environment, add an entry for each additional KDC to the realms section of the Advanced krb5-conf's krb5-conf template.

      kdc = {{kdc_host}}
      kdc = otherkdc.example.com
    3. (Optional) To not have Ambari install the Kerberos client libraries on all hosts, expand the Advanced kerberos-env section and uncheck the “Install OS-specific Kerberos client package(s)” option. You must have the Kerberos client utilities installed on each host.

    4. (Optional) If your Kerberos client libraries are in non-standard path locations, expand the Advanced kerberos-env section and adjust the “Executable Search Paths” option.

    5. (Optional) If your KDC has a password policy, expand the Advanced kerberos-env section and adjust the Password options.

    6. (Optional) Ambari will test your Kerberos settings by generating a test principal and authenticating with that principal. To customize the test principal name that Ambari will use, expand the Advanced kerberos-env section and adjust the Test Kerberos Principal value. By default, the test princial name is a combination of cluster name and date (${cluster_name}-${short_date}). This test principal will be deleted after the test is complete.

    7. (Optional) If you need to customize the attributes for the principals Ambari will create, when using Active Directory, see the Customizing the Attribute Template for more information. When using MIT KDC, you can pass Principal Attributes options in the Advanced kerberos-env section. For example, you can set options related to pre-auth or max. renew life by passing:

      -requires_preauth -maxrenewlife "7 days"
  7. Proceed with the install.

  8. Ambari will install Kerberos clients on the hosts and test access to the KDC by testing that Ambari can create a principal, generate a keytab and distribute that keytab.

  9. Customize the Kerberos identities used by Hadoop and proceed to kerberize the cluster.

    [Important]Important

    On the Configure Identities step, be sure to review the principal names, particularly the Ambari Principals on the General tab. These principal names, by default, append the name of the cluster to each of the Ambari principals. You can leave this as default or adjust these by removing the "-${cluster-name}" from principal name string. For example, if your cluster is named HDP and your realm is EXAMPLE.COM, the hdfs principal will be created as hdfs-HDP@EXAMPLE.COM.

  10. Confirm your configuration. You can optionally download a CSV file of the principals and keytabs that Ambari will automatically create.

  11. Click Next to start the process.

  12. After principals have been created and keytabs have been generated and distributed, Ambari updates the cluster configurations, then starts and tests the Services in the cluster.

  13. Exit the wizard when complete.

  14. Ambari Server communicates with components in the cluster, and now with Kerberos setup, you need to make sure Ambari Server is setup for Kerberos. As part of the automated Kerberos setup process, Ambari Server has been given a keytabs and setup is performed. All you need to do is restart Ambari Server for that to take affect. Therefore, restart Ambari Server at this time.