Hi EdŠ I have been working on the automated Kerberos implementation, so I can give you some insight on configuring that, however I don¹t have any experience with HA or Ansible.
In Ambari 2.0, you should be able to enable and disable Kerberos via the REST API. I am not sure if any of this is documented. If not, it will be soon. The steps involved in enabling Kerberos are as follows: 1) Configure the KDC and Kerberos environment 2) Install the Kerberos service 3) Create/update the Kerberos Descriptors for the services installed on your cluster 4) Set the KDC administrative credentials (in the HTTP session) 5) Enable Kerberos Once Kerberos is enabled, adding new services and hosts should be automatically handled, however you may want to update the default Kerberos descriptors for any new services you are adding. Also, in order to perform any Kerberos related tasks, you will need to provide the KDC administrative credentials. These are not stored for longer than your HTTP session. On that note, your connection to Ambari needs to be able to handle a session. I plan to send you more details on the steps listed above, I will try to get that out to you shortly. Sorry for the delay in getting this information out to you. Rob On 2/13/15, 4:31 PM, "Ed Kohlwey" <[email protected]> wrote: >Hi, >I'm interested in using Ambari + Ansible to manage a Kerberized cluster. >The current contemplation is to use an Ansible module to make rest calls >to >the Ambari server in order to configure the nodes. > >We would also like to be able to automatically set up HA and secure mode. > >We have scripts currently for setting up a primary and secondary KDC and >issuing keytabs, so that is not a big deal, but I recall that the API >currently has no official support for setting up secure mode or for >deploying HA. > >Can we use the undocumented API's to do this successfully? How future >proof >is that approach? I noticed that there has been a lot of work on setting >up >a cluster KDC in version 2. > >Can any of the devs working on this suggest a good path forward to >minimize >rework after the next release?
