Set Up Kerberos for Ambari Server
This section describes how to configure Ambari Server with a Kerberos principal and keytab to allow views to authenticate via SPNEGO against cluster components.
When a cluster is enabled for Kerberos, the component REST endpoints (such as the YARN ATS component) require SPNEGO authentication.
Depending on the Services in your cluster, Ambari Web needs access to these APIs. As well, some views need access to ATS. Therefore, the Ambari Server requires a Kerberos principal in order to authenticate via SPNEGO against these APIs. This section describes how to configure Ambari Server with a Kerberos principal and keytab to allow views to authenticate via SPNEGO against cluster components.
-
Create a principal in your KDC for the Ambari Server. For example, using kadmin.
addprinc -randkey ambari-server@EXAMPLE.COM
. -
Generate a keytab for that principal.
xst -k ambari.server.keytab ambari-server@EXAMPLE.COM
. -
Place that keytab on the Ambari Server host. Be sure to set the file permissions
so the user running the Ambari Server daemon can access the keytab file.
/etc/security/keytabs/ambari.server.keytab
. -
Stop the ambari server.
ambari-server stop
. -
Run the setup-security command.
ambari-server setup-security
. -
Select
3
for Setup Ambari kerberos JAAS configuration. - Enter the Kerberos principal name for the Ambari Server you set up earlier.
- Enter the path to the keytab for the Ambari principal.
-
Restart Ambari Server.
ambari-server restart
.