Configuring Authentication with Kerberos
Also available as:
PDF
loading table of contents...

Checklist: Installing and Configuring the KDC

Ambari is able to configure Kerberos in the cluster to work with an existing MIT KDC, or existing Active Directory installation. This section describes the steps necessary to prepare for this integration.

You can choose to have Ambari connect to the KDC and automatically create the necessary Service and Ambari principals, generate and distribute the keytabs (“Automated Kerberos Setup”). Ambari also provides an advanced option to manually configure Kerberos. If you choose this option, you must create the principals, generate and distribute the keytabs. Ambari will not do this automatically (“Manual Kerberos Setup”).

Supported Key Distribution Center (KDC) Versions
  • Microsoft Active Directory 2008 and above
  • MIT Kerberos v5
  • FreeIPA 4.x and above
There are four ways to install/configure the KDC:
  • Using an existing MIT KDC
  • Install a new MIT KDC (See "Optional: Install a new MIT KDC")
  • Using an existing IPA
  • Using an existing AD
  • Using manual Kerberos setup
Option Checklist
Using an existing MIT KDC
  • Ambari Server and cluster hosts have network access to both the KDC and KDC admin hosts.

  • KDC administrative credentials are on-hand.

Install a new MIT KDC See “Optional: Install a new MIT KDC”
Using an existing IPA See “Optional: Use an Existing IPA”
Using an existing AD
  • Ambari Server and cluster hosts have network access to, and be able to resolve the DNS names of, the Domain Controllers.

  • Active Directory secure LDAP (LDAPS) connectivity has been configured.

  • Active Directory User container for service principals has been created and is on-hand. For example, "OU=Hadoop,OU=People,dc=apache,dc=org"

  • Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the previously mentioned User container are on-hand.

Using manual Kerberos setup
  • Cluster hosts have network access to the KDC.

  • Kerberos client utilities (such as kinit) have been installed on every cluster host.

  • The Java Cryptography Extensions (JCE) have been setup on the Ambari Server host and all hosts in the cluster.

  • The Service and Ambari Principals will be manually created in the KDC before completing this wizard.

  • The keytabs for the Service and Ambari Principals will be manually created and distributed to cluster hosts before completing this wizard.