[
https://issues.apache.org/jira/browse/AMBARI-8610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hari Sekhon updated AMBARI-8610:
--------------------------------
Description:
Ambari generates a CSV list of principals for generating keytabs only when
initially kerberizing a cluster.
However, when adding nodes to the cluster Ambari provides no such CSV or list
of principals - leaving the user to figure out the list of required principals
and keytabs themselves.
I use the original CSV as input to a perl program I've written to automate
kerberos principal creation, keytab exports and distribution to nodes based for
a FreeIPA realm (standalone MIT KDC as per stock kerberos_setup.sh is used more
for small VM / PoC setups without LDAP integrated users and groups).
A CSV of new principals and keytabs should be created whenever deploying new
hosts or new services to an existing kerberized cluster to allow for similar
automation of extending an existing cluster.
If anyone else wants to automate FreeIPA Kerberos keytabs for their clusters
they can use this program on my github:
{code}
git clone https://github.com/harisekhon/toolbox
cd toolbox
make
./ambari_freeipa_kerberos_setup.pl --help
{code}
was:
Ambari generates a CSV list of principals for generating keytabs only when
initially kerberizing a cluster. However, when adding nodes to the cluster
Ambari provides no such CSV or list of principals.
I am using that CSV input to a perl program I've written to automate kerberos
principal creation, keytab exports and distribution to nodes based for a
FreeIPA realm (standalone MIT KDC as per stock kerberos_setup.sh is used more
for small VM / PoC setups without LDAP integrated users and groups).
A CSV of new principals and keytabs required should be created whenever
deploying new hosts or new services to an existing kerberized cluster.
If anyone else wants to automate FreeIPA Kerberos keytabs for their clusters
they can use this program on my github:
{code}
git clone https://github.com/harisekhon/toolbox
cd toolbox
make
./ambari_freeipa_kerberos_setup.pl --help
{code}
> Kerberos add hosts/services CSV required for automating keytab distribution
> ---------------------------------------------------------------------------
>
> Key: AMBARI-8610
> URL: https://issues.apache.org/jira/browse/AMBARI-8610
> Project: Ambari
> Issue Type: Improvement
> Affects Versions: 1.6.1
> Environment: HDP 2.1
> Reporter: Hari Sekhon
>
> Ambari generates a CSV list of principals for generating keytabs only when
> initially kerberizing a cluster.
> However, when adding nodes to the cluster Ambari provides no such CSV or list
> of principals - leaving the user to figure out the list of required
> principals and keytabs themselves.
> I use the original CSV as input to a perl program I've written to automate
> kerberos principal creation, keytab exports and distribution to nodes based
> for a FreeIPA realm (standalone MIT KDC as per stock kerberos_setup.sh is
> used more for small VM / PoC setups without LDAP integrated users and groups).
> A CSV of new principals and keytabs should be created whenever deploying new
> hosts or new services to an existing kerberized cluster to allow for similar
> automation of extending an existing cluster.
> If anyone else wants to automate FreeIPA Kerberos keytabs for their clusters
> they can use this program on my github:
> {code}
> git clone https://github.com/harisekhon/toolbox
> cd toolbox
> make
> ./ambari_freeipa_kerberos_setup.pl --help
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
