Using existing KDC
To use an existing KDC, in the advanced Security section of the create cluster wizard select Enable Kerberos Security. By default, Use Existing KDC option is selected.
You must provide the following information about your MIT KDC or Active Directory. Based on these parameters, kerberos-env and krb5-conf JSON descriptors for Ambari are generated and injected into your Blueprint:
 | Note |
|---|---|
Before proceeding with the configuration, you must confirm that you met the requirements by checking the boxes next to all requirements listed. The configuration options are displayed only after you have confirmed all the requirements by checking every box. |
| Parameter | Description |
|---|---|
| Kerberos Admin Principal | The admin principal in your existing MIT KDC or AD. |
| Kerberos Admin Password | The admin principal password in your existing MIT KDC or AD. |
| MIT KDC or Active Directory | Select MIT KDC or Active Directory. |
Use basic configuration
| Parameter | Required if using… | Description |
|---|---|---|
| Kerberos Url | MIT, AD | IP address or FQDN for the KDC host. Optionally a port number may be included. Example: “kdc.example1.com:88” or “kdc.example1.com” |
| Kerberos Admin URL | MIT, AD | (Optional) IP address or FQDN for the KDC admin host. Optionally a port number may be included. Example: “kdc.example2.com:88” or “kdc.example2.com” |
| Kerberos Realm | MIT, AD | The default realm to use when creating service principals. Example: “EXAMPLE.COM” |
| Kerberos AD Ldap Url | AD | The URL to the Active Directory LDAP Interface. This value must indicate a secure channel using LDAPS since it is required for creating and updating passwords for Active Directory accounts. Example: “ldaps://ad.example.com:636” |
| Kerberos AD Container DN | AD | The distinguished name (DN) of the container used store service principals. Example: “OU=hadoop,DC=example,DC=com” |
| Use TCP Connection | Optional | By default, Kerberos uses UDP. Checkmark this box to use TCP instead. |
Use advanced configuration
Checking the Use Custom Configuration option allows you to provide the actual Ambari Kerberos descriptors to be injected into your blueprint (instead of Cloudbreak generating the descriptors on your behalf). This is the most powerful option which gives you full control of the Ambari Kerberos options that are available. You must provide:
- Kerberos-env JSON Descriptor (required)
- krb5-conf JSON Descriptor (optional)
To learn more about the Ambari Kerberos JSON descriptors, refer to Apache cwiki.