Manage Kerberos
The Manage Kerberos action encapsulates enabling, reconfiguring, and disabling of Kerberos for the cluster services. To run it, you need an installed ADPS cluster (see Get started with Arenadata Platform Security) and one or more KDCs (Key Distribution Center).
NOTE
This action has the same purpose as the Manage Kerberos action in ADH.
|
To run the action, go to the Clusters page, find your ADPS cluster, click in the Actions column, and select the action from the drop-down menu that appears.
The pop-up window suggests several options to run the action:
-
Using an existing MIT KDC.
-
Using an existing MS Active Directory.
-
Using an existing FreeIPA.
-
Using an existing Samba.
IMPORTANT
Running the action with one KDC type enabled will trigger Kerberos activation.
|
Custom kerberization settings
The Custom kerberization settings option allows the user to choose kerberization steps, for example, creation of principals and keytabs.
Parameter | Description | Default value |
---|---|---|
Set up Kerberos utils |
Enables installation or removal of Kerberos clients and utils. Affects the Expand and Install actions |
True |
Configure Kerberos on hosts |
Enables cluster configuration, including krb5.conf, ldap.conf |
True |
Set up principals and keytabs |
Enables creation, recreation, or removal of principals and keytabs. Passwords for principals are generated randomly before keytab creation. Affects the Expand and Install actions. ADCM bundle will set up owner and permissions for keytabs only if this checkbox is selected in the cluster configuration. In case of absence of admin permissions, a customer should provide the prepared keytabs with correctly set owner and permissions (see Custom keytab recommendations) |
True |
Configure services and clients |
Enables updating of services and clients configuration |
True |
Run service checks |
Enables service check runs |
True |
Custom keytab recommendations
Below is the table with recommendations for owners, groups, and permissions for keytabs.
Component short name | Keytab owner | Keytab group | Permissions |
---|---|---|---|
zookeeper |
zookeeper |
zookeeper |
600 |
solr |
solr |
solr |
600 |
rangeradmin |
ranger |
ranger |
600 |
rangerkms |
kms |
kms |
600 |
rangerlookup |
ranger |
ranger |
600 |
rangertagsync |
ranger |
ranger |
600 |
rangerusersync |
ranger |
ranger |
600 |
knox |
knox |
knox |
600 |
HTTP |
root |
hadoop |
640 |