THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
"services": [ { "name": "SERVICE", "identities": [
...
],
"auth_to_local_properties" : [
...
],
"configurations": [
...
],
"components": [
...
]
},
…
]
components
A component descriptor may exist in the service-level Kerberos Descriptor file. This block is a list of zero or more component descriptors belonging to the containing service descriptor. Each component descriptor is a block containing a component name, an optional identities block, an optional auth_to_local_properties block, and an optional configurations block.
...
{ // One or more services may be listed in a service-level Kerberos // Descriptor file "services": [ { "name": "SERVICE_1",
// Service-level identities to be created if this service is installed.
// Any relevant keytab files will be distributed to hosts with at least
// one of the components on it. "identities": [
// Service-specific identity declaration, declaring all properties
// needed initiate the creation of the principal and keytab files,
// as well as setting the service-specific configurations. This may
// be referenced by contained components using ../service1_identity. { "name": "service1_identity", "principal": { "value": "service1/_HOST@${realm}",
"type" : "service",
"configuration": "service1-site/service1.principal" }, "keytab": { "file": "${keytab_dir}/service1.service.keytab",
"owner": {
"name": "${service1-env/service_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": "r"
},
"configuration": "service1-site/service1.keytab.file" } },
// Service-level identity referencing the stack-level spnego
// identity and overriding the principal and keytab configuration
// specifications. { "name": "/spnego", "principal": { "configuration": "service1-site/service1.web.principal" }, "keytab": { "configuration": "service1-site/service1.web.keytab.file" } }, // Service-level identity referencing the stack-level smokeuser
// identity. No properties are being overridden and overriding
// the principal and keytab configuration specifications.
{ "name": "/smokeuser" } ],
// Properties related to this service that require the auth-to-local
// rules to be dynamically generated based on identities create for
// the cluster. "auth_to_local_properties" : [ "service1-site/security.auth_to_local" ],
// Configuration properties to be set when this service is installed,
// no matter which components are installed "configurations": [ { "service-site": { "service1.security.authentication": "kerberos", "service1.security.auth_to_local": "" } } ], // A list of components related to this service
"components": [ { "name": "COMPONENT_1", // Component-specific identities to be created when this component
// is installed. Any keytab files specified will be distributed
// only to the hosts where this component is installed.
"identities": [ // An identity "local" to this component
{ "name": "component1_service_identity", "principal": { "value": "component1/_HOST@${realm}", "type" : "service", "configuration": "service1-site/comp1.principal", "local_username" : "${service1-env/service_user}" }, "keytab": { "file": "${keytab_dir}/s1c1.service.keytab", "owner": { "name": "${service1-env/service_user}", "access": "r" }, "group": { "name": "${cluster-env/user_group}", "access": "" }, "configuration": "service1-site/comp1.keytab.file" } }, // The stack-level spnego identity overridden to set component-specific
// configurations
{ "name": "/spnego", "principal": { "configuration": "service1-site/comp1.spnego.principal" }, "keytab": { "configuration": "service1-site/comp1.spnego.keytab.file" }
} ], // Component-specific configurations to set if this component is installed
"configurations": [ { "service-site": { "comp1.security.type": "kerberos" } } ] }, { "name": "COMPONENT_2", "identities": [ { "name": "component2_service_identity", "principal": { "value": "component2/_HOST@${realm}", "type" : "service", "configuration": "service1-site/comp2.principal", "local_username" : "${service1-env/service_user}" }, "keytab": { "file": "${keytab_dir}/s1c2.service.keytab", "owner": { "name": "${service1-env/service_user}", "access": "r" }, "group": { "name": "${cluster-env/user_group}", "access": "" }, "configuration": "service1-site/comp2.keytab.file" } }, // The service-level service1_identity identity overridden to
// set component-specific configurations
{ "name": "../service1_identity", "principal": { "configuration": "service1-site/comp2.service.principal" }, "keytab": { "configuration": "service1-site/comp2.service.keytab.file" }
}
], "configurations" : [ { "service-site" : { "comp2.security.type": "kerberos" } } ] } ] } ]}
The Kerberos Service
Configurations
kerberos-env
(more to come)
krb5-conf
(more to come)
Enabling Kerberos
Enabling Kerberos on the cluster may be done using the Enable Kerberos Wizard within the Ambari UI or using the REST API.
...
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/services
Technical Information
Password Generation
When Ambari generates keytab files, it uses an internal mechanism rather than rely on the KDC or Active Directory to do it. This is mainly because Ambari cannot request a keytab file from an Active Directory. Because of this, Ambari needs to know the password for each Kerberos identity that needs a keytab file created and thus it sets or updates the identity's password a needed.
The password for each Ambari-managed account in a KDC or Active Directory is randomly generated and stored only long enough to set the account's password and generate the keytab file.
Ambari 2.0.x
Generated passwords in Ambari 2.0.x meet the following specifications
- Randomly generated using 18 characters from the following set:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890?.!$%^*()-_+=~ - Each character is chosen via index in the set using a static instance of the
java.security.SecureRandomclass (see http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html)
Ambari 2.1.x (and above)
Passwords in Ambari 2.1.x (and above) are generated using the following user-settable parameters:
- Password length (kerberos-env/password_length), default 20
- Minimum number of lower-cased letters (kerberos-env/password_min_lowercase_letters), default 1
- Set:
abcdefghijklmnopqrstuvwxyz
- Set:
- Minimum number of upper-cased letters (kerberos-env/password_min_uppercase_letters), default 1
- Set:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
- Set:
- Minimum number of digits (kerberos-env/password_min_digits), default 1
- Set:
1234567890
- Set:
- Minimum number of punctuation characters (kerberos-env/password_min_punctuation), default 1
- Set:
?.!$%^*()-_+=~
- Set:
- Minimum number of whitespace characters (kerberos-env/password_min_whitespace), default 0
- Set: (space character)
The following algorithm is executed:
- Create an array to store password characters
- For each character class (upper-case letter, lower-case letter, digit, ...), randomly select from the relevant set the minimum number of characters and store them in the array
- For the number of characters calculated as the difference between the expected password length and the number of characters already collected, randomly select a character from a randomly-selected character class and store into the array
- For the number of characters expected in the password, randomly pull one from the array and append to the password result
- Return the generated password
To generate a random integer used to identify an index within a character set, static instance of the java.security.SecureRandom class (see http://docs.oracle.com/javase/7/docs/api/java/security/SecureRandom.html) is used.
(more to come...(more to come)