Advanced Cluster Options
Also available as:
PDF

Using test KDC

To use a test KDC, in the advanced Security section of the create cluster wizard select Enable Kerberos Security and then select Use Test KDC.

Note
Note

Using the Test KDC is for evaluation and testing purposes only, and cannot be used for production clusters. To enable Kerberos for production use, you must use the Use Existing KDC option.

You must provide the following parameters for your new test KDC:

Parameter Description
Kerberos Master Key The master key for the KDC database.
Kerberos Admin Username The admin principal to create that can administer the KDC.
Kerberos Admin Password The admin principal password.
Confirm Kerberos Admin Password The admin principal password.

When using the test KDC option:

  • Cloudbreak installs an MIT KDC instance on the Ambari server node.
  • Kerberos clients are installed on all cluster nodes, and the krb5.conf is configured to use the MIT KDC.
  • The cluster is configured for Kerberos to use the MIT KDC. Very basic Ambari KSON Kerberos descriptors are generated and used accordingly.

Example kerberos-env JSON descriptor file:

{
      "kerberos-env" : {
        "properties" : {
          "kdc_type" : "mit-kdc",
          "kdc_hosts" : "ip-10-0-121-81.ec2.internal",
          "realm" : "EC2.INTERNAL",
          "encryption_types" : "aes des3-cbc-sha1 rc4 des-cbc-md5",
          "ldap_url" : "",
          "admin_server_host" : "ip-10-0-121-81.ec2.internal",
          "container_dn" : ""
        }
      }
    }

Example krb5-conf JSON descriptor file:

{
      "krb5-conf" : {
        "properties" : {
          "domains" : ".ec2.internal",
          "manage_krb5_conf" : "true"
        }
      }
    }

To learn more about the Ambari Kerberos JSON descriptors, refer to Apache cwiki.