Using the enable_activedirectory Utility (recommended) 🔗
Note
Use this option for Big Data Service 3.0.27 and later.
This utility allows you to enable Kerberos using Active Directory and LDAP integration for individual services including Ambari, Hue, Ranger, and JupyterHub.
Connect to the un0 node through a command shell, use using Secure Shell (SSH).
Run the following command:
Copy
sudo enable_activedirectory
Input Active Directory properties:
KDC Hosts: <AD_SERVER_FQDN>
Realm name: <AD_REALM_NAME>
LDAP url: ldaps://<AD_FQDN>:636 or ldap://<AD_FQDN>:389
After the Kerberos service has been installed and tested successfully, click Next.
To configure identities, accept the default values and click Next.
Confirm the configuration:
(Optional)
To download a CSV file of the principles and keytabs that Apache Ambari created, click Download CSV.
Review the configuration, and then click Next.
Start and test services.
If you receive errors, you can run the tests again by clicking Retry.
Click Complete.
Disabling Kerberos 🔗
This applies to those clusters that have Kafka and Ranger Services installed. Disabling Kerberos on a secure/HA cluster must be done appropriately to avoid Kafka service check failure. Please use one of the following approaches.
From the side toolbar, under Cluster Admin click Kerberos.
Click Disable Kerberos.
Follow the Disable Kerberos wizard, and then click Complete.
Disabling KDC when the Kafka Ranger Plugin is Installed 🔗
Method 1 (Recommended)
If Kerberos is enabled, then:
Disable the Kafka Ranger plugin from Ambari:
Sign in to Ambari.
From the side toolbar, under Services click Ranger.
Click Configs, and then click Ranger Plugin.
Disable Kerberos.
Enable the Kafka Ranger plugin if it is required.
Method 2
If Kerberos is currently enabled and you do not want to disable the Kafka ranger plugin, then:
Go to Ranger and navigate to the policies for Kafka Service.
Add public group to all - topic and all - cluster policies. If for some reason those policies do not exist, create them. The aim is to grant public group access to all topic and cluster resources needed for the Kafka service check.
Disable Kerberos.
Remove the public groups that were added above.
Method 3
If Kerberos is already disabled and the Kafka service check has already failed, then:
Disable the Kafka Ranger plugin as mentioned under Method 1.
Restart the Kafka service as required.
Enable the Kafka Ranger plugin
Note
Public group access to all - topic policy is required for Kafka service check (Kafka > Actions > Run Service Check) after disabling Kerberos.