...
{
// One or more services may be listed in a service-level Kerberos
// Descriptor file
"services": [
{
"name": "SERVICE_1",
// Service-level identities to be created if this service is installed.
// Any relevant keytab files will be distributed to hosts with at least
// one of the components on it. "identities": [
// Service-specific identity declaration, declaring all properties
// needed initiate the creation of the principal and keytab files,
// as well as setting the service-specific configurations. This may
// be referenced by contained components using ../service1_identity. {
"name": "service1_identity",
"principal": {
"value": "service1/_HOST@${realm}",
"type" : "service",
"configuration": "service1-site/service1.principal" },
"keytab": {
"file": "${keytab_dir}/service1.service.keytab",
"owner": {
"name": "${service1-env/service_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": "r"
},
"configuration": "service1-site/service1.keytab.file" }
},
// Service-level identity referencing the stack-level spnego
// identity and overriding the principal and keytab configuration
// specifications. {
"name": "/spnego",
"principal": {
"configuration": "service1-site/service1.web.principal"
},
"keytab": {
"configuration": "service1-site/service1.web.keytab.file"
}
},
// Service-level identity referencing the stack-level smokeuser
// identity. No properties are being overridden and overriding
// the principal and keytab configuration specifications.
{ "name": "/smokeuser"
}
],
// Properties related to this service that require the auth-to-local
// rules to be dynamically generated based on identities create for
// the cluster. "auth_to_local_properties" : [
"service1-site/security.auth_to_local"
],
// Configuration properties to be set when this service is installed,
// no matter which components are installed "configurations": [
{
"service-site": {
"service1.security.authentication": "kerberos",
"service1.security.auth_to_local": ""
}
}
],
// A list of components related to this service
"components": [ {
"name": "COMPONENT_1",
// Component-specific identities to be created when this component
// is installed. Any keytab files specified will be distributed
// only to the hosts where this component is installed.
"identities": [ // An identity "local" to this component
{ "name": "component1_service_identity",
"principal": {
"value": "component1/_HOST@${realm}",
"type" : "service",
"configuration": "service1-site/comp1.principal",
"local_username" : "${service1-env/service_user}"
},
"keytab": {
"file": "${keytab_dir}/s1c1.service.keytab",
"owner": {
"name": "${service1-env/service_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "service1-site/comp1.keytab.file"
}
},
// The stack-level spnego identity overridden to set component-specific
// configurations
{ "name": "/spnego",
"principal": {
"configuration": "service1-site/comp1.spnego.principal"
},
"keytab": {
"configuration": "service1-site/comp1.spnego.keytab.file"
}
} ],
// Component-specific configurations to set if this component is installed
"configurations": [ {
"service-site": {
"comp1.security.type": "kerberos"
}
}
]
},
{
"name": "COMPONENT_2",
"identities": [
{
"name": "component2_service_identity",
"principal": {
"value": "component2/_HOST@${realm}",
"type" : "service",
"configuration": "service1-site/comp2.principal",
"local_username" : "${service1-env/service_user}"
},
"keytab": {
"file": "${keytab_dir}/s1c2.service.keytab",
"owner": {
"name": "${service1-env/service_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration": "service1-site/comp2.keytab.file"
}
},
// The service-level service1_identity identity overridden to
// set component-specific configurations
{ "name": "../service1_identity",
"principal": {
"configuration": "service1-site/comp2.service.principal"
},
"keytab": {
"configuration": "service1-site/comp2.service.keytab.file"
}
}
], "configurations" : [
{
"service-site" : {
"comp2.security.type": "kerberos"
}
}
]
}
]
}
]
}
Enabling Kerberos
Enabling Kerberos on the cluster may be done using the Enable Kerberos Wizard within the Ambari UI or using the REST API.
The Enable Kerberos Wizard (Ambari UI)
The Enable Kerberos Wizard provides an easy to use wizard interface that walks through the process of enabling Kerberos.
The REST API
It is possible to enable Kerberos using Ambari's REST API using the following API calls:
Notes:
- Change the authentication credentials as needed
- curl ... -u username:password ...
- The examples below use
- username: admin
- password: admin
- Change the Ambari server host name and port as needed
- curl ... http://HOST:PORT/api/v1/...
- The example below use
- HOST: AMBERI_SERVER
- PORT: 8080
- Change the cluster name as needed
- curl ... http://.../CLUSTER/...
- The example below use
- CLUSTER: CLUSTER_NAME
- @./payload indicates the the payload data is stored in some file rather than declared inline
- curl ... -d @./payload ...
- The examples below use ./payload which should be replace with the actual file path
- The contents of the payload file are indicated below the curl statement
Add the KERBEROS Service to cluster
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS
Add the KERBEROS_CLIENT component to the KERBEROS service
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS/components/KERBEROS_CLIENT
Create and set KERBEROS service configurations
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME
Payload when using an MIT KDC
[
{
"Clusters": {
"desired_config": {
"type": "krb5-conf",
"tag": "version1",
"properties": {
"domains":"",
"manage_krb5_conf": "true",
"conf_dir":"/etc",
"content" : "[libdefaults]\n renew_lifetime = 7d\n forwardable= true\n default_realm = {{realm|upper()}}\n ticket_lifetime = 24h\n dns_lookup_realm = false\n dns_lookup_kdc = false\n #default_tgs_enctypes = {{encryption_types}}\n #default_tkt_enctypes ={{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{%endif %}\n\n[logging]\n default = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n"
}
}
}
},
{
"Clusters": {
"desired_config": {
"type": "kerberos-env",
"tag": "version1",
"properties": {
"kdc_type": "mit-kdc",
"manage_identities": "true",
"install_packages": "true",
"encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5",
"realm" : "EXAMPLE.COM",
"kdc_host" : "KDC_SERVER",
"admin_server_host" : "KDC_SERVER",
"executable_search_paths" : "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin",
"password_length": "20",
"password_min_lowercase_letters": "1",
"password_min_uppercase_letters": "1",
"password_min_digits": "1",
"password_min_punctuation": "1",
"password_min_whitespace": "0",
"service_check_principal_name" : "${cluster_name}-${short_date}",
"case_insensitive_username_rules" : "false"
} }
}
}
]
Payload when using an Active Directory
[
{
"Clusters": {
"desired_config": {
"type": "krb5-conf",
"tag": "version1",
"properties": {
"domains":"",
"manage_krb5_conf": "true",
"conf_dir":"/etc",
"content" : "[libdefaults]\n renew_lifetime = 7d\n forwardable= true\n default_realm = {{realm|upper()}}\n ticket_lifetime = 24h\n dns_lookup_realm = false\n dns_lookup_kdc = false\n #default_tgs_enctypes = {{encryption_types}}\n #default_tkt_enctypes ={{encryption_types}}\n\n{% if domains %}\n[domain_realm]\n{% for domain in domains.split(',') %}\n {{domain}} = {{realm|upper()}}\n{% endfor %}\n{%endif %}\n\n[logging]\n default = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n {{realm}} = {\n admin_server = {{admin_server_host|default(kdc_host, True)}}\n kdc = {{kdc_host}}\n }\n\n{# Append additional realm declarations below #}\n"
}
}
}
},
{
"Clusters": {
"desired_config": {
"type": "kerberos-env",
"tag": "version1",
"properties": {
"kdc_type": "active-directory",
"manage_identities": "true",
"install_packages": "true",
"encryption_types": "aes des3-cbc-sha1 rc4 des-cbc-md5",
"realm" : "EXAMPLE.COM",
"kdc_host" : "AD_HOST",
"admin_server_host" : "AD_HOST",
"ldap_url" : "LDAPS://AD_HOST:PORT",
"container_dn" : "OU=....,....",
"executable_search_paths" : "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin",
"password_length": "20", "password_min_lowercase_letters": "1",
"password_min_uppercase_letters": "1",
"password_min_digits": "1",
"password_min_punctuation": "1",
"password_min_whitespace": "0",
"service_check_principal_name" : "${cluster_name}-${short_date}",
"case_insensitive_username_rules" : "false",
"create_attributes_template" : "{\n \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n \"cn\": \"$principal_name\",\n #if( $is_service )\n \"servicePrincipalName\": \"$principal_name\",\n #end\n \"userPrincipalName\": \"$normalized_principal\",\n \"unicodePwd\": \"$password\",\n \"accountExpires\": \"0\",\n \"userAccountControl\": \"66048\"}"
} }
}
}
]
Create the KERBEROS_CLIENT host components (once for each host, replace HOST_NAME)
curl -H "X-Requested-By:ambari" -u admin:admin -i -X POST -d '{"host_components" : [{"HostRoles" : {"component_name":"KERBEROS_CLIENT"}}]}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/hosts?Hosts/host_name=HOST_NAME
Install the KERBEROS service and components
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "INSTALLED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services/KERBEROS
Stop all services
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "INSTALLED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services
Get the (default) Kerberos Descriptor
curl -H "X-Requested-By:ambari" -u admin:admin -i -X GET http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor
Set the Kerberos Descriptor
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor
Payload
The Kerberos Descriptor payload may be a complete Kerberos Descriptor or just the updates to overlay on top of the default Kerberos Descriptor.
Enable Kerberos
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @./payload http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME
Payload
{
"session_attributes" : { "kerberos_admin" : {
"principal" : "ADMIN_PRINCIPAL",
"password" : "ADMIN_PASSWORD"
}
},
"Clusters": {
"security_type" : "KERBEROS"
}
}
Start all services
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services
(more to come)