Hadoop Security Guide
Also available as:
PDF
loading table of contents...
Launching the Kerberos Wizard (Automated Setup)
  1. Be sure you have Installed and Configured your KDC and have prepared the JCE on each host in the cluster.

  2. Log in to Ambari Web and Browse to Admin > Kerberos.

  3. Click “Enable Kerberos” to launch the wizard.

  4. Select the type of KDC you are using and confirm you have met the prerequisites.

  5. Provide information about the KDC and admin account.

    1. (Optional) In the Domains field, provide a list of patterns to use to map hosts in the cluster to the appropriate realm. For example, if your hosts have a common domain in their FQDN such as host1.hortonworks.local and host2.hortonworks.local, you would set this to:

      .hortonworks.local,hortonworks.local

    2. (Optional) To manage your Kerberos client krb5.conf manually (and not have Ambari manage the krb5.conf), expand the Advanced krb5-conf section and uncheck the "Manage" option. You must have the krb5.conf configured on each host.

    3. (Optional) to configure any additional KDC's to be used for this environment, add an entry for each additional KDC to the realms section of the Advanced krb5-conf's krb5-conf template.

      kdc = {{kdc_host}}
      kdc = otherkdc.example.com
    4. (Optional) To not have Ambari install the Kerberos client libraries on all hosts, expand the Advanced kerberos-env section and uncheck the “Install OS-specific Kerberos client package(s)” option. You must have the Kerberos client utilities installed on each host.

    5. (Optional) If your Kerberos client libraries are in non-standard path locations, expand the Advanced kerberos-env section and adjust the “Executable Search Paths” option.

    6. (Optional) If your KDC has a password policy, expand the Advanced kerberos-env section and adjust the Password options.

    7. (Optional) Ambari will test your Kerberos settings by generating a test principal and authenticating with that principal. To customize the test principal name that Ambari will use, expand the Advanced kerberos-env section and adjust the Test Principal Name value. By default, the test princial name is a combination of cluster name and date (${cluster_name}-${short_date}). This test principal will be deleted after the test is complete.

    8. (Optional) If you need to customize the attributes for the principals Ambari will create, when using Active Directory, see the Customizing the Attribute Template for more information. When using MIT KDC, you can pass Principal Attribute options in the Advanced kerberos-env section. For example, you can set options related to pre-auth or max. renew life by passing:

      -requires_preauth -maxrenewlife "7 days"
  6. Proceed with the install.

  7. Ambari will install Kerberos clients on the hosts and test access to the KDC by testing that Ambari can create a principal, generate a keytab and distribute that keytab.

  8. Customize the Kerberos identities used by Hadoop and proceed to kerberize the cluster.

    [Important]Important

    On the Configure Identities step, be sure to review the principal names, particularly the Ambari Principals on the General tab. These principal names, by default, append the name of the cluster to each of the Ambari principals. You can leave this as default or adjust these by removing the "-${cluster-name}" from principal name string. For example, if your cluster is named HDP and your realm is EXAMPLE.COM, the hdfs principal will be created as hdfs-HDP@EXAMPLE.COM.

  9. Confirm your configuration. You can optionally download a CSV file of the principals and keytabs that Ambari will automatically create.

  10. Click Next to start the process.

  11. After principals have been created and keytabs have been generated and distributed, Ambari updates the cluster configurations, then starts and tests the Services in the cluster.

    [Note]Note

    If your cluster includes Storm, after enabling Kerberos, you must also set up Ambari for Kerberos for Storm Service Summary information to be displayed in Ambari Web. Otherwise, you will see n/a for Storm information such as Slots, Tasks, Executors and Topologies.

  12. Exit the wizard when complete.