The type of KDC being used.
Possible Values:
none
mit-kdc
active-directory
ipa
Indicates whether the Ambari-specified user and service Kerberos identities (principals and keytab files) should be managed (created, deleted, updated, etc...) by Ambari (true
) or managed manually by the user (false
).
Possible Values: true
, false
Indicates whether the Ambari Kerberos identity (principal and keytab file used by Ambari, itself, and its views) should be managed (created, deleted, updated, etc...) by Ambari (true
) or managed manually by the user (false
).
Possible Values: true
, false
This property is dependent on the value of manage_identities
, where as if manage_identities
is false, create_ambari_principal
will assumed to be false
as well.
Indicates whether the Hadoop auth-to-local rules should be managed by Ambari (true
) or managed manually by the user (false
).
Possible Values: true
, false
Indicates whether Ambari should install the Kerberos client packages (true
) or not (false
). If not, it is expected that Kerberos utility programs installed by the user (such as kadmin, kinit, klist, and kdestroy) are compatible with MIT Kerberos 5 version 1.10.3 in command line options and behaviors.
Possible Values: true
, false
The URL to the Active Directory LDAP Interface. This value must indicate a secure channel using LDAPS since it is required for creating and updating passwords for Active Directory accounts.
Example: ldaps://ad.example.com:636
If the kdc_type
is active-directory
, this property is mandatory.
The distinguished name (DN) of the container used store the Ambari-managed user and service principals within the configured Active Directory
Example: OU=hadoop,DC=example,DC=com
If the kdc_type
is active-directory
, this property is mandatory.
The supported (space-delimited) list of session key encryption types that should be returned by the KDC.
Default value: aes des3-cbc-sha1 rc4 des-cbc-md5
The default realm to use when creating service principals
Example: EXAMPLE.COM
This value is expected to be in all uppercase characters.
A comma-delimited list of IP addresses or FQDNs for the list of relevant KDC hosts. Optionally a port number may be included for each entry.
Example: kdc.example.com, kdc1.example.com
Example: kdc.example.com:88, kdc1.example.com:88
The IP address or FQDN for the Kerberos administrative host. Optionally a port number may be included.
Example: kadmin.example.com
Example: kadmin.example.com:88
If the kdc_type
is mit-kdc
or ipa
, the value must be the FQDN of the Kerberos administrative host.
The IP address or FQDN of the master KDC host in a master-slave KDC deployment. Optionally a port number may be included.
Example: kadmin.example.com
Example: kadmin.example.com:88
A comma-delimited list of search paths to use to find Kerberos utilities like kadmin and kinit.
Default value: /usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin
The length required length for generated passwords.
Default value: 20
The minimum number of lowercase letters (a-z) required in generated passwords
Default value: 1
The minimum number of uppercase letters (A-Z) required in generated passwords
Default value: 1
The minimum number of digits (0-9) required in generated passwords
Default value: 1
The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords
Default value: 1
The minimum number of whitespace characters required in generated passwords
Default value: 0
The principal name to use when executing the Kerberos service check
Example: ${cluster_name}-${short_date}
Force principal names to resolve to lowercase local usernames in auth-to-local rules
Possible values: true
, false
Default value: false
A Velocity template to use to generate a JSON-formatted document containing the set of attribute names and values needed to create a new Kerberos identity in the relevant Active Directory.
Variables include:
principal_name
- the components (primary and instance) portion of the principalprincipal_primary
- the primary component of the principal nameprincipal_instance
- the instance component of the principal namerealm
- the realm
portion of the principalrealm_lowercase
- the lowercase form of the realm
of the principalnormalized_principal
- the full principal value, including the component and realms partsprincipal_digest
- a binhexed-encoded SHA1 digest of the normalized principalprincipal_digest_256
- a binhexed-encoded SHA256 digest of the normalized principalprincipal_digest_512
- a binhexed-encoded SHA512 digest of the normalized principalpassword
- the generated passwordis_service
- true
if the principal is a service principal, false
if the principal is a user principalcontainer_dn
- the kerberos-env/container_dn
property valueNote: A principal is made up of the following parts: primary component, instances component (optional), and realm:
primary_component
@realm
primary_component
/instance_component
@realm
Default value:
{ "objectClass": ["top", "person", "organizationalPerson", "user"], "cn": "$principal_name", #if( $is_service ) "servicePrincipalName": "$principal_name", #end "userPrincipalName": "$normalized_principal", "unicodePwd": "$password", "accountExpires": "0", "userAccountControl": "66048" }
This property is mandatory and only used if the kdc_type
is active-directory
The set of attributes to use when creating a new Kerberos identity in the relevant (MIT) KDC.
Example: -requires_preauth max_renew_life=7d
This property is optional and only used if the kdc_type
is mit-kdc
The group in IPA that user principals should be a member of.
This property is optional and only used if the kdc_type
is ipa
Indicates whether the krb5.conf file should be managed (created, updated, etc...) by Ambari (true
) or managed manually by the user (false
).
Possible values: true
, false
Default value: false
A comma-separated list of domain names used to map server host names to the realm name.
Example: host.example.com, example.com, .example.com
This property is optional
The krb5.conf configuration directory Default value: /etc
Customizable krb5.conf template (Jinja template engine)
Default value:
[libdefaults] renew_lifetime = 7d forwardable = true default_realm = {{realm}} ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = {{encryption_types}} #default_tkt_enctypes = {{encryption_types}} {% if domains %} [domain_realm] {%- for domain in domains.split(',') %} {{domain|trim()}} = {{realm}} {%- endfor %} {% endif %} [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] {{realm}} = { {%- if master_kdc %} master_kdc = {{master_kdc|trim()}} {%- endif -%} {%- if kdc_hosts > 0 -%} {%- set kdc_host_list = kdc_hosts.split(',') -%} {%- if kdc_host_list and kdc_host_list|length > 0 %} admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}} {%- if kdc_host_list -%} {%- if master_kdc and (master_kdc not in kdc_host_list) %} kdc = {{master_kdc|trim()}} {%- endif -%} {% for kdc_host in kdc_host_list %} kdc = {{kdc_host|trim()}} {%- endfor -%} {% endif %} {%- endif %} {%- endif %} } {# Append additional realm declarations below #}