Custom kerberization settings
The Custom kerberization settings option allows the user to select kerberization steps, such as creating principals and keytab files.
Each protocol available when selecting the Manage Kerberos cluster action (MIT Kerberos, MS Active Directory, FreeIPA) can be combined with the Custom kerberization settings option .
To set the option, follow the steps:
-
Initiate Kerberos enablement for the selected cluster. To do this, apply the Manage Kerberos action by clicking on the in the Actions column.
Enabling Kerberos on an ADS cluster -
Turn on the Custom kerberization settings switch in the window that opens, expand the settings tree, set the necessary parameters, and click Run.
Parameter | Description | Default value |
---|---|---|
Set up Kerberos utils |
Enables installation or removal of Kerberos clients and utils. Affects the Expand and Install actions |
True |
Configure Kerberos on hosts |
Enables cluster configuration, including krb5.conf, ldap.conf |
True |
Set up principals and keytabs |
Enables creation, recreation, or removal of principals and keytabs. Passwords for principals are generated randomly before keytab creation. Affects the Expand and Install actions. ADCM bundle will set up owner and permissions for keytabs only if this checkbox is selected in the cluster configuration. In case of absence of admin permissions, a customer should provide the prepared keytabs with correctly set owner and permissions (see Custom keytab recommendations) |
True |
Configure services and clients |
This parameter does not affect ADS operation. Custom settings are made using JAAS file template |
True |
Run service checks |
Enables service check runs |
True |
Custom keytab recommendations
Below is the table with recommendations for owners, groups, and permissions for keytabs.
Component short name | Keytab owner | Keytab group | Permissions |
---|---|---|---|
kafka |
kafka |
kafka |
600 |
kafka-manager |
kafka-manager |
kafka-manager |
600 |
kafka-rest |
kafka-rest |
kafka |
600 |
ksql-server |
ksql |
kafka |
600 |
nifi |
nifi |
nifi |
600 |
nifi-registry |
nifi |
nifi |
600 |
schema-registry |
schema-registry |
kafka |
600 |
kafka-connect |
kafka-connect |
kafka |
600 |
zookeeper |
zookeeper |
zookeeper |
600 |
HTTP |
nifi |
nifi |
640 |