Configuring Authentication with Kerberos
Also available as:
PDF
loading table of contents...

Running the Kerberos Security Wizard

Ambari provides three options for enabling Kerberos: using an existing MIT KDC (Automated Setup), using an existing Active Directory (Automated Setup), or manage Kerberos principals and keytabs manually (Manual Setup).

Automated Setup

When choosing Existing MIT KDC or Existing Active Directory, the Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC. This is the Automated Setup option. See “Launching the Kerberos Wizard (Automated Setup)” for more details.

If you chose to enable Kerberos using the Automated Kerberos Setup option, as part of the enabling Kerberos process, Ambari installs the Kerberos clients on the cluster hosts. Depending on your operating system, the following packages are installed:
Table 1. Packages installed by Ambari for the Kerberos Client

Operating System

Packages

RHEL/CentOS/Oracle Linux 7

krb5-workstation

RHEL/CentOS/Oracle Linux 6

krb5-workstation

SLES 11

krb5-client

Ubuntu/Debian

krb5-user, krb5-config

Manual Setup

When choosing Manage Kerberos principals and keytabs manually, you must create the principals, generate and distribute the keytabs; including you performing the “Ambari Server Kerberos setup”. Ambari will not do this automatically. This is the Manual Setup option. See “Launching the Kerberos Wizard (Manual Setup)” for more details.