Ambari service for easily installing and managing KDC on HDP cluster
This can be used in conjunction with other security related Ambari services to setup security on a cluster
- Steps on how to use Ambari services to automate the install of OpenLDAP, KDC, nslcd/SSSD on existing cluster, and then running Ambari kerberos wizard
- Steps on how to use blueprints to deploy a cluster with OpenLDAP, KDC, nslcd/SSSD, and then run Ambari kerberos wizard
Limitations:
- This is not an officially supported service and is not meant to be deployed in production systems. It is only meant for testing demo/purposes
- It does not support Ambari/HDP upgrade process and will cause upgrade problems if not removed prior to upgrade
Author: Ali Bajwa
- Download HDP 2.2 sandbox VM image (Sandbox_HDP_2.2_VMware.ova) from Hortonworks website
- Import Sandbox_HDP_2.2_VMware.ova into VMWare and set the VM memory size to 8GB
- Now start the VM
- After it boots up, find the IP address of the VM and add an entry into your machines hosts file e.g.
192.168.191.241 sandbox.hortonworks.com sandbox
- Connect to the VM via SSH (password hadoop) and start Ambari server
ssh root@sandbox.hortonworks.com
/root/start_ambari.sh
- To deploy the KDC service, run below
cd /var/lib/ambari-server/resources/stacks/HDP/2.2/services
git clone https://github.com/abajwa-hw/kdc-stack.git
sudo service ambari restart
- Then you can click on 'Add Service' from the 'Actions' dropdown menu in the bottom left of the Ambari dashboard:
On bottom left -> Actions -> Add service -> check KDC server -> Next -> Next -> Enter password -> Next -> Deploy
-
On successful deployment you will see the KDC service as part of Ambari stack and will be able to start/stop the service from here:
-
When you've completed the install process, KDC server will appear in Ambari
-
You can see the parameters you configured under 'Configs' tab
-
One benefit to wrapping the component in Ambari service is that you can now monitor/manage this service remotely via REST API
export SERVICE=KRB5
export PASSWORD=admin
export AMBARI_HOST=sandbox.hortonworks.com
export CLUSTER=Sandbox
#get service status
curl -u admin:$PASSWORD -i -H 'X-Requested-By: ambari' -X GET http://$AMBARI_HOST:8080/api/v1/clusters/$CLUSTER/services/$SERVICE
#start service
curl -u admin:$PASSWORD -i -H 'X-Requested-By: ambari' -X PUT -d '{"RequestInfo": {"context" :"Start $SERVICE via REST"}, "Body": {"ServiceInfo": {"state": "STARTED"}}}' http://$AMBARI_HOST:8080/api/v1/clusters/$CLUSTER/services/$SERVICE
#stop service
curl -u admin:$PASSWORD -i -H 'X-Requested-By: ambari' -X PUT -d '{"RequestInfo": {"context" :"Stop $SERVICE via REST"}, "Body": {"ServiceInfo": {"state": "INSTALLED"}}}' http://$AMBARI_HOST:8080/api/v1/clusters/$CLUSTER/services/$SERVICE
- To remove the KDC service:
-
Stop the service via Ambari
-
Delete the service
curl -u admin:admin -i -H 'X-Requested-By: ambari' -X DELETE http://sandbox.hortonworks.com:8080/api/v1/clusters/Sandbox/services/KRB5 -
Delete the kerberos DB and clear its dirs
kdb5_util destroy rm -rf /etc/krb5.conf rm -rf /var/kerberos/krb5kdc/*
-
- You now have Kerberos KDC running on your Hadoop cluster
# kadmin -p admin/admin -w hortonworks -r HORTONWORKS.COM -q "get_principal admin/admin"
Authenticating as principal admin/admin with password.
Principal: admin/admin@HORTONWORKS.COM
Expiration date: [never]
Last password change: Mon Feb 02 01:22:39 PST 2015
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Feb 02 01:22:39 PST 2015 (root/admin@HORTONWORKS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
MKey: vno 1
Attributes:
Policy: [none]