Enabling Kerberos on the cluster may be done using the Enable Kerberos Wizard within the Ambari UI or using the REST API.
The Enable Kerberos Wizard, in the Ambari UI, provides an easy to use wizard interface that walks through the process of enabling Kerberos.
It is possible to enable Kerberos using Ambari's REST API using the following API calls:
Notes:
curl ... -u username:password ...
curl ... http://HOST:PORT/api/v1/...
curl ... http://.../CLUSTER/...
curl ... -d @./payload ...
./payload
which should be replace with the actual file pathcurl -H "X-Requested-By:ambari" -u admin:admin -i -X POST http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS/components/KERBEROS_CLIENT
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME
Payload when using an MIT KDC:
[ { "Clusters": { "desired_config": { "type": "krb5-conf", "tag": "version1", "properties": { "domains":"", "manage_krb5_conf": "true", "conf_dir":"/etc", "content" : "[libdefaults]\n renew_lifetime = 7d\n forwardable= true\n default_realm = {{realm|upper()}}\n ticket_lifetime = 24h\n dns_lookup_realm = false\n dns_lookup_kdc = false\n #default_tgs_enctypes = {{encryption_types}}\n #default_tkt_enctypes ={{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{%endif %}\n\n[logging]\n default = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n" } } } }, { "Clusters": { "desired_config": { "type": "kerberos-env", "tag": "version1", "properties": { "kdc_type": "mit-kdc", "manage_identities": "true", "install_packages": "true", "encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5", "realm" : "EXAMPLE.COM", "kdc_host" : "KDC_SERVER", "admin_server_host" : "KDC_SERVER", "executable_search_paths" : "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin", "password_length": "20", "password_min_lowercase_letters": "1", "password_min_uppercase_letters": "1", "password_min_digits": "1", "password_min_punctuation": "1", "password_min_whitespace": "0", "service_check_principal_name" : "${cluster_name}-${short_date}", "case_insensitive_username_rules" : "false" } } } } ]
Payload when using an Active Directory:
[ { "Clusters": { "desired_config": { "type": "krb5-conf", "tag": "version1", "properties": { "domains":"", "manage_krb5_conf": "true", "conf_dir":"/etc", "content" : "[libdefaults]\n renew_lifetime = 7d\n forwardable= true\n default_realm = {{realm|upper()}}\n ticket_lifetime = 24h\n dns_lookup_realm = false\n dns_lookup_kdc = false\n #default_tgs_enctypes = {{encryption_types}}\n #default_tkt_enctypes ={{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{%endif %}\n\n[logging]\n default = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n" } } } }, { "Clusters": { "desired_config": { "type": "kerberos-env", "tag": "version1", "properties": { "kdc_type": "active-directory", "manage_identities": "true", "install_packages": "true", "encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5", "realm" : "EXAMPLE.COM", "kdc_host" : "AD_HOST", "admin_server_host" : "AD_HOST", "ldap_url" : "LDAPS://AD_HOST:PORT", "container_dn" : "OU=....,....", "executable_search_paths" : "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin", "password_length": "20", "password_min_lowercase_letters": "1", "password_min_uppercase_letters": "1", "password_min_digits": "1", "password_min_punctuation": "1", "password_min_whitespace": "0", "service_check_principal_name" : "${cluster_name}-${short_date}", "case_insensitive_username_rules" : "false", "create_attributes_template" : "{\n \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n \"cn\": \"$principal_name\",\n #if( $is_service )\n \"servicePrincipalName\": \"$principal_name\",\n #end\n \"userPrincipalName\": \"$normalized_principal\",\n \"unicodePwd\": \"$password\",\n \"accountExpires\": \"0\",\n \"userAccountControl\": \"66048\"}" } } } } ]
Once for each host, replace HOST_NAME
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST -d '{"host_components" : [{"HostRoles" : {"component_name":"KERBEROS_CLIENT"}}]}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/hosts?Hosts/host_name=HOST_NAME
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "INSTALLED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"RequestInfo":{"context":"Stop Service"},"Body":{"ServiceInfo":{"state":"INSTALLED"}}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services
curl -H "X-Requested-By:ambari" -u admin:admin -i -X GET http://AMBARI_SERVER:8080/api/v1/stacks/STACK_NAME/versions/STACK_VERSION/artifacts/kerberos_descriptor
curl -H "X-Requested-By:ambari" -u admin:admin -i -X GET http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor
Payload:
The Kerberos Descriptor payload may be a complete Kerberos Descriptor or just the updates to overlay on top of the default Kerberos Descriptor.
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/credentials
Payload:
{ "Credential" : { "principal" : "admin/admin@EXAMPLE.COM", "key" : "h4d00p&!", "type" : "temporary" } }
Note: the principal and key (password) values should be updated to match the correct credentials for the KDC administrator account
Note: the type
value may be temporary
or persisted
; however the value may only be persisted
if Ambari's credential store has been previously setup.
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME
Payload
{ "Clusters": { "security_type" : "KERBEROS" } }
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services
When Ambari generates keytab files, it uses an internal mechanism rather than rely on the KDC or Active Directory to do it. This is because Ambari cannot request a keytab file from some KDCs such as an Active Directory. In order to create keytab files, Ambari needs to know the password for each relevant Kerberos identity. Therefore, Ambari sets or updates the identity's password as needed.
The password for each Ambari-managed account in a KDC or Active Directory is randomly generated and stored only long enough to set the account's password and generate the keytab file. Passwords are generated using the following user-settable parameters:
kerberos-env/password_length
)kerberos-env/password_min_lowercase_letters
)abcdefghijklmnopqrstuvwxyz
kerberos-env/password_min_uppercase_letters
)ABCDEFGHIJKLMNOPQRSTUVWXYZ
kerberos-env/password_min_digits
)1234567890
kerberos-env/password_min_punctuation
)?.!$%^*()-_+=~
kerberos-env/password_min_whitespace
)(space character)
The following algorithm is executed:
To generate a random integer used to identify an index within a character set, a static instance of the java.security.SecureRandom
class (http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html) is used.