Cloudera Docs

Prerequisites for creating Cloudera AI Registry

Cloudera AI Registry on premises uses Apache Ozone to store model artifacts. Cloudera AI Registry also requires dedicated TLS certificates as it operates through a separate Istio gateway, which does not support shared certificates.

Dedicated TLS certificate for Cloudera AI Registry

Cloudera AI Registry requires dedicated TLS certificates as it operates through a separate Istio gateway, which does not support shared certificates. During the installation of Cloudera on premises, the root Certificate Authority (CA) for these certificates must be set up. If this configuration step was missed, you can update the root CA by following the guidelines outlined in: Updating TLS certificates.

Creating Apache Ozone credentials

For creating a Cloudera AI Registry you need the Ozone S3 gateway endpoint, the Ozone access key, and the Ozone secret key.
  1. Open the Cloudera Manager UI.
  2. Select Clusters in the left navigation pane, and then select the relevant cluster, as OZONE-1 in the example.
    Figure 1. Selecting clusters in Ozone configuration
  3. Select S3 Gateway from the Status Summary.
Figure 2. Selecting S3 Gateway in the Ozone configuration
  1. Go to the S3 Gateway Web UI tab.
Figure 3. Selecting S3 Gateway Web UI in Ozone configuration

After selecting the S3 Gateway Web UI you can see a command with the -- endpoint, which shows the Ozone S3 gateway endpoint information:

Figure 4. S3 gateway endpoint information
  1. Generate the Ozone S3 secret key and Ozone access key.
    1. SSH to the Cloudera Manager host and run klist.You can find the hostname on Cloudera Manager > Environments under Cloudera Manager.
    2. Skip this step if you see Kerberos ticket information. Otherwise run the following command with the configured Keytab. 
      # kinit -kt /cdep/keytabs/om.keytab om
Run klist to check if kerberos ticket is granted.
[root@cml-pvc-oldap-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: om@CDSW-INT.CLOUDERA.COM

Valid starting   	Expires          	Service principal
05/25/2022 14:32:13  05/26/2022 14:32:13  krbtgt/CDSW-INT.CLOUDERA.COM@CDSW-INT.CLOUDERA.COM
    renew until 06/02/2022 14:32:13
    3. Run this command to get the Ozone S3 secret key (awsSecret) and the Ozone access key (awsAccessKey). 
      
[root@cml-pvc-oldap-1 ~]# ozone s3 getsecret --om-service-id=ozone1

awsAccessKey=om@CDSW-INT.CLOUDERA.COM
awsSecret=40d5fc02fc882d53df3758a76184eb810ee97d9e1c45e5a7f2ef715bf31e5a0a
  2. Copy awsAccessKey and awsSecret for later use.