Custom kerberization settings

The Custom kerberization settings option allows the user to select kerberization steps, such as creating principals and keytab files.

Each protocol available when selecting the Manage Kerberos cluster action (MIT Kerberos, MS Active Directory, FreeIPA) can be combined with the Custom kerberization settings option .

To set the option, follow the steps:

  1. Initiate Kerberos enablement for the selected cluster. To do this, apply the Manage Kerberos action by clicking on the actions default dark actions default light in the Actions column.

    Enabling Kerberos on an ADS cluster
    Enabling Kerberos on an ADS cluster
  2. Turn on the Custom kerberization settings switch in the window that opens, expand the settings tree, set the necessary parameters, and click Run.

Custom kerberization settings parameters
Custom kerberization settings parameters
Custom kerberization settings parameter description
Parameter Description Default value

Set up Kerberos utils

Enables installation or removal of Kerberos clients and utils. Affects the Expand and Install actions

True

Configure Kerberos on hosts

Enables cluster configuration, including krb5.conf, ldap.conf

True

Set up principals and keytabs

Enables creation, recreation, or removal of principals and keytabs. Passwords for principals are generated randomly before keytab creation. Affects the Expand and Install actions. ADCM bundle will set up owner and permissions for keytabs only if this checkbox is selected in the cluster configuration. In case of absence of admin permissions, a customer should provide the prepared keytabs with correctly set owner and permissions (see Custom keytab recommendations)

True

Configure services and clients

This parameter does not affect ADS operation. Custom settings are made using JAAS file template

True

Run service checks

Enables service check runs

True

Custom keytab recommendations

Below is the table with recommendations for owners, groups, and permissions for keytabs.

Keytab recommendations
Component short name Keytab owner Keytab group Permissions

kafka

kafka

kafka

600

kafka-manager

kafka-manager

kafka-manager

600

kafka-rest

kafka-rest

kafka

600

ksql-server

ksql

kafka

600

nifi

nifi

nifi

600

nifi-registry

nifi

nifi

600

schema-registry

schema-registry

kafka

600

kafka-connect

kafka-connect

kafka

600

zookeeper

zookeeper

zookeeper

600

HTTP

nifi

nifi

640

Found a mistake? Seleсt text and press Ctrl+Enter to report it