THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
This document is a work in progress.
Introduction
Before Ambari 2.0.0, configuring an Ambari cluster to use Kerberos was a tedious task involving setting up the Kerberos client infrastructure on each host, creating the required identities, generating and distributing the needed keytabs files, and updating the necessary configuration properties. On a small cluster this may not seem to be too large of an effort; however as the size of the cluster increases, so does the amount of work that is involved.
This is where Ambari’s Automated Kerberization facility can help. It performs all of these steps and also helps to maintain the cluster as new services and hosts are added.
The Automated Kerberization can be invoked using Ambari’s REST API as well as the Enable Kerberos Wizard in the Ambari UI.
How it works
Stacks and services that can utilize Kerberos credentials for authentication must have a Kerberos Descriptor declaring required Kerberos identities and how to update configurations. The Ambari infrastructure uses this data, and any updates applied by an administrator, to perform Kerberos related operations such as initially enabling Kerberos, enabling Kerberos for on hosts and added components, regenerating credentials, and disabling Kerberos.
It should be notated that it Ambari is required to be installed on a registered host. Also, the Kerberos service is required to be installed on all hosts of the cluster before any automated tasks can be performed. If using the Ambari UI, this should happen as part of the relevant wizard workflow.
Enabling Kerberos
When enabling Kerberos, all of the services in the cluster are expected to be stopped. The main reason for this is to avoid state issues as the services are stopped and then started when the cluster is transitioning to be Kerberized. The following steps are taken to enable Kerberos on the cluster en masse:
- Create or update accounts in the configured KDC (or Active Directory)
- Generate keytab files and distribute them to the appropriate hosts
- Update relevant configurations
Adding Components
If Automated Kerberization was enabled for the Ambari cluster, whenever new components are added, the will automatically be configured for Kerberos and any necessary principals and keytabs will be generated and distributed. For each new component, the following steps will occur before the component is installed and started:
- Update relevant configurations
- Create or update accounts in the configured KDC (or Active Directory)
- Generate keytab files and distribute them to the appropriate hosts
Adding Hosts
When adding a new host, the Kerberos client must be installed on it. This does not happen automatically, however the Add Host Wizard in the Ambari UI will will perform this step if Automated Kerberization was enabled for the Ambari cluster. Once host is added, generally one or more components are installed on it - see Adding Components.
Regenerating Keytabs
Once a cluster has Automated Kerberization enabled, it may be necessary to regenerate keytabs. There are two options related to regenerating keytabs: all or missing.
In any case, the affected services should be restarted after the following regeneration process is complete:
- Create missing or update existing accounts in the configured KDC (or Active Directory)
- Generate keytab files and distribute them to the appropriate hosts
Disabling Kerberos
In the event Kerberos needs to be removed from the Ambari cluster, the Ambari will remove the managed Kerberos identities, keytab files, and configuration. The Ambari UI will perform the steps of stopping and starting the services as well as removing the Kerberos service, however this will need to be done manually, otherwize.