Manage Kerberos

Sergei Tikhomirov

Contents

Custom kerberization settings
Custom keytab recommendations

The Manage Kerberos action encapsulates enabling, reconfiguring, and disabling of Kerberos for the cluster services. To run it, you need an installed ADPS cluster (see Get started with Arenadata Platform Security) and one or more KDCs (Key Distribution Center).

NOTE

This action has the same purpose as the Manage Kerberos action in ADH.

To run the action, go to the Clusters page, find your ADPS cluster, click actions default light actions default dark in the Actions column, and select the action from the drop-down menu that appears.

Running an action

The pop-up window suggests several options to run the action:

Using an existing MIT KDC.
Using an existing MS Active Directory.
Using an existing FreeIPA.

Kerberos activation options

IMPORTANT

Running the action with one KDC type enabled will trigger Kerberos activation.

Custom kerberization settings

The Custom kerberization settings option allows the user to choose kerberization steps, for example, creation of principals and keytabs.

Custom kerberization settings parameters

Custom kerberization settings parameter description
Parameter	Description	Default value
Set up Kerberos utils	Enables installation or removal of Kerberos clients and utils. Affects the *Expand* and *Install* actions	True
Configure Kerberos on hosts	Enables cluster configuration, including krb5.conf, ldap.conf	True
Set up principals and keytabs	Enables creation, recreation, or removal of principals and keytabs. Passwords for principals are generated randomly before keytab creation. Affects the *Expand* and *Install* actions. ADCM bundle will set up owner and permissions for keytabs only if this checkbox is selected in the cluster configuration. In case of absence of admin permissions, a customer should provide the prepared keytabs with correctly set owner and permissions (see Custom keytab recommendations)	True
Configure services and clients	Enables updating of services and clients configuration	True
Run service checks	Enables service check runs	True

Custom keytab recommendations

Below is the table with recommendations for owners, groups, and permissions for keytabs.

Keytab recommendations
Component short name	Keytab owner	Keytab group	Permissions
zookeeper	zookeeper	zookeeper	600
solr	solr	solr	600
rangeradmin	ranger	ranger	600
rangerkms	kms	kms	600
rangerlookup	ranger	ranger	600
rangertagsync	ranger	ranger	600
rangerusersync	ranger	ranger	600
knox	knox	knox	600
HTTP	root	hadoop	640

Found a mistake? Seleсt text and press Ctrl+Enter to report it