Manage Kerberos

Manage Kerberos action

The Manage Kerberos action encapsulates enabling, reconfiguring, and disabling of Kerberos. To run it, you need an installed ADH cluster (see Get started with Arenadata Hadoop) and one or more KDCs (Key Distribution Center). Before you proceed to managing Kerberos, it is recommended to read the Kerberos overview article about kerberization requirements.

Among other things, Manage Kerberos is designed to allow the following scenarios:

  • Enabling Kerberos without administrator credentials using the existing client, principals and/or keytabs.

  • Quickly changing the cluster state from kerberized to non-kerberized in case kerberization fails in the beginning (e.g. bad kadmin credentials) without having to reconfigure services, remove keytabs and principals.

  • Postponed service reconfiguration — configure Kerberos at the moment and reconfigure service later.

To run the action in the ADCM web UI, go to the Clusters page. Select an installed and prepared ADH cluster, and choose the Manage Kerberos action.

adcm select adh cluster
Manage Kerberos

The pop-up window suggests several options to run the action:

To correctly launch the action you should choose just one out of the suggested KDC types: Existing MIT KDC, Existing Active Directory, Existing FreeIPA, or Existing Samba. Each of these options can be combined with the Custom kerberization settings option.

manage kerberos
Ways to manage Kerberos
IMPORTANT
Running the action with one KDC type enabled will trigger Kerberos activation.

Custom kerberization settings

The Custom kerberization settings option allows the user to choose kerberization steps, for example, creation of principals and keytabs.

custom kerberization settings
Custom kerberization settings parameters
Custom kerberization settings parameter description
Parameter Description Default value

Set up Kerberos utils

Enables installation or removal of Kerberos clients and utils. Affects the Expand and Install actions

True

Configure Kerberos on hosts

Enables cluster configuration, including krb5.conf, ldap.conf

True

Set up principals and keytabs

Enables creation, recreation, or removal of principals and keytabs. Passwords for principals are generated randomly before keytab creation. Affects the Expand and Install actions. ADCM bundle will set up owner and permissions for keytabs only if this checkbox is selected in the cluster configuration. In case of absence of admin permissions, a customer should provide the prepared keytabs with correctly set owner and permissions (see Custom keytab recommendations)

True

Configure services and clients

Enables updating of services and clients configuration

True

Run service checks

Enables service check runs

True

Custom keytab recommendations

Below is the table with recommendations for owners, groups, and permissions for keytabs.

Keytab recommendations
Component short name Keytab owner Keytab group Permissions

zookeeper

zookeeper

zookeeper

600

hdfs-datanode

hdfs

hadoop

600

hdfs-namenode

hdfs

hadoop

600

hdfs-journalnode

hdfs

hadoop

600

hdfs-secondarynamenode

hdfs

hadoop

600

hdfs-zkfc

hdfs

hadoop

600

HTTP

hdfs

hadoop

640

httpfs

httpfs

httpfs

600

hdfs

hdfs

hadoop

640

yarn

yarn

hadoop

640

yarn-resourcemanager

yarn

hadoop

600

yarn-nodemanager

yarn

hadoop

600

yarn-timelineserver

yarn

hadoop

600

mapreduce-historyserver

mapred

hadoop

600

hbase

hbase

hadoop

640

hbase-phoenix_queryserver

phoenix

phoenix

600

hbase-thrift2

hbase

hbase

600

hive

hive

hive

640

solr

solr

solr

600

spark

spark

spark

640

livy

livy

hadoop

600

airflow

airflow

airflow

600

sqoop

sqoop

sqoop

600

flink

flink

flink

600

zeppelin

zeppelin

zeppelin

600

impala

impala

impala

600

Found a mistake? Seleсt text and press Ctrl+Enter to report it