Apache Ambari Security
Also available as:
loading table of contents...

Optional: Set Up Ambari Server for Kerberos


This section describes how to set up and configure Ambari Server to have a Kerberos principal and keytab. If you performed the Automated Kerberos Setup, these steps are performed automatically (and therefore, you do not need to perform the steps below). If you performed the Manual Kerberos Setup, perform the steps below as well.

When a cluster is enabled for Kerberos, the component REST endpoints (such as the YARN ATS component) require SPNEGO authentication.

Depending on the Services in your cluster, Ambari Web needs access to these APIs. As well, views such as the Tez View need access to ATS. Therefore, the Ambari Server requires a Kerberos principal in order to authenticate via SPNEGO against these APIs. This section describes how to configure Ambari Server with a Kerberos principal and keytab to allow views to authenticate via SPNEGO against cluster components.

  1. Create a principal in your KDC for the Ambari Server. For example, using kadmin:

    addprinc -randkey ambari-server@EXAMPLE.COM
  2. Generate a keytab for that principal.

    xst -k ambari.server.keytab ambari-server@EXAMPLE.COM
  3. Place that keytab on the Ambari Server host. Be sure to set the file permissions so the user running the Ambari Server daemon can access the keytab file.

  4. Stop the ambari server.

    ambari-server stop
  5. Run the setup-security command.

    ambari-server setup-security
  6. Select 3 for Setup Ambari kerberos JAAS configuration.

  7. Enter the Kerberos principal name for the Ambari Server you set up earlier.

  8. Enter the path to the keytab for the Ambari principal.

  9. Restart Ambari Server.

    ambari-server restart