The type of KDC being used.
Possible Values:
nonemit-kdcactive-directoryipaIndicates whether the Ambari-specified user and service Kerberos identities (principals and keytab files) should be managed (created, deleted, updated, etc...) by Ambari (true) or managed manually by the user (false).
Possible Values: true, false
Indicates whether the Ambari Kerberos identity (principal and keytab file used by Ambari, itself, and its views) should be managed (created, deleted, updated, etc...) by Ambari (true) or managed manually by the user (false).
Possible Values: true, false
This property is dependent on the value of manage_identities, where as if manage_identities is false, create_ambari_principal will assumed to be false as well.
Indicates whether the Hadoop auth-to-local rules should be managed by Ambari (true) or managed manually by the user (false).
Possible Values: true, false
Indicates whether Ambari should install the Kerberos client packages (true) or not (false). If not, it is expected that Kerberos utility programs installed by the user (such as kadmin, kinit, klist, and kdestroy) are compatible with MIT Kerberos 5 version 1.10.3 in command line options and behaviors.
Possible Values: true, false
The URL to the Active Directory LDAP Interface. This value must indicate a secure channel using LDAPS since it is required for creating and updating passwords for Active Directory accounts.
Example: ldaps://ad.example.com:636
If the kdc_type is active-directory, this property is mandatory.
The distinguished name (DN) of the container used store the Ambari-managed user and service principals within the configured Active Directory
Example: OU=hadoop,DC=example,DC=com
If the kdc_type is active-directory, this property is mandatory.
The supported (space-delimited) list of session key encryption types that should be returned by the KDC.
Default value: aes des3-cbc-sha1 rc4 des-cbc-md5
The default realm to use when creating service principals
Example: EXAMPLE.COM
This value is expected to be in all uppercase characters.
A comma-delimited list of IP addresses or FQDNs for the list of relevant KDC hosts. Optionally a port number may be included for each entry.
Example: kdc.example.com, kdc1.example.com
Example: kdc.example.com:88, kdc1.example.com:88
The IP address or FQDN for the Kerberos administrative host. Optionally a port number may be included.
Example: kadmin.example.com
Example: kadmin.example.com:88
If the kdc_type is mit-kdc or ipa, the value must be the FQDN of the Kerberos administrative host.
The IP address or FQDN of the master KDC host in a master-slave KDC deployment. Optionally a port number may be included.
Example: kadmin.example.com
Example: kadmin.example.com:88
A comma-delimited list of search paths to use to find Kerberos utilities like kadmin and kinit.
Default value: /usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin
The length required length for generated passwords.
Default value: 20
The minimum number of lowercase letters (a-z) required in generated passwords
Default value: 1
The minimum number of uppercase letters (A-Z) required in generated passwords
Default value: 1
The minimum number of digits (0-9) required in generated passwords
Default value: 1
The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords
Default value: 1
The minimum number of whitespace characters required in generated passwords
Default value: 0
The principal name to use when executing the Kerberos service check
Example: ${cluster_name}-${short_date}
Force principal names to resolve to lowercase local usernames in auth-to-local rules
Possible values: true, false
Default value: false
A Velocity template to use to generate a JSON-formatted document containing the set of attribute names and values needed to create a new Kerberos identity in the relevant Active Directory.
Variables include:
principal_name - the components (primary and instance) portion of the principalprincipal_primary - the primary component of the principal nameprincipal_instance - the instance component of the principal namerealm - the realm portion of the principalrealm_lowercase - the lowercase form of the realm of the principalnormalized_principal - the full principal value, including the component and realms partsprincipal_digest - a binhexed-encoded SHA1 digest of the normalized principalprincipal_digest_256 - a binhexed-encoded SHA256 digest of the normalized principalprincipal_digest_512 - a binhexed-encoded SHA512 digest of the normalized principalpassword - the generated passwordis_service - true if the principal is a service principal, false if the principal is a user principalcontainer_dn - the kerberos-env/container_dn property valueNote: A principal is made up of the following parts: primary component, instances component (optional), and realm:
primary_component@realmprimary_component/instance_component@realmDefault value:
{
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
}
This property is mandatory and only used if the kdc_type is active-directory
The set of attributes to use when creating a new Kerberos identity in the relevant (MIT) KDC.
Example: -requires_preauth max_renew_life=7d
This property is optional and only used if the kdc_type is mit-kdc
The group in IPA that user principals should be a member of.
This property is optional and only used if the kdc_type is ipa
Indicates whether the krb5.conf file should be managed (created, updated, etc...) by Ambari (true) or managed manually by the user (false).
Possible values: true, false
Default value: false
A comma-separated list of domain names used to map server host names to the realm name.
Example: host.example.com, example.com, .example.com
This property is optional
The krb5.conf configuration directory Default value: /etc
Customizable krb5.conf template (Jinja template engine)
Default value:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = {{realm}}
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = {{encryption_types}}
#default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{%- for domain in domains.split(',') %}
{{domain|trim()}} = {{realm}}
{%- endfor %}
{% endif %}
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
{{realm}} = {
{%- if master_kdc %}
master_kdc = {{master_kdc|trim()}}
{%- endif -%}
{%- if kdc_hosts > 0 -%}
{%- set kdc_host_list = kdc_hosts.split(',') -%}
{%- if kdc_host_list and kdc_host_list|length > 0 %}
admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
{%- if kdc_host_list -%}
{%- if master_kdc and (master_kdc not in kdc_host_list) %}
kdc = {{master_kdc|trim()}}
{%- endif -%}
{% for kdc_host in kdc_host_list %}
kdc = {{kdc_host|trim()}}
{%- endfor -%}
{% endif %}
{%- endif %}
{%- endif %}
}
{# Append additional realm declarations below #}