You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ambari.apache.org by Hellmar Becker <be...@hellmar-becker.de> on 2015/01/15 17:29:29 UTC

Automating the security setup

Hello,

At ING, we are currently automating deployment of a HDP-based cluster  
using Ambari blueprints and the REST API. We would like to also enable  
Kerberos based security in this way. A couple of questions:

- Is it possible to enable security with a single REST call which  
would be equivalent to the "Enable Security" button in the GUI?

- Or, would we need to figure out the settings for each service and  
incorporate those in our blueprint?

- As for the keytab generation, Ambari creates a CSV that lists all  
principals that need keytabs, along with the locations and permissions  
for the keytab files. Can this CSV file be generated through a REST  
call? Or any other suggestions how to automate this steps?

Thanks for any ideas that you can share on these issues.

========================================
Hellmar Becker
Edmond Audranstraat 55
NL-3543BG Utrecht
mail: becker@hellmar-becker.de
mobile: +31 6 29986670
========================================

Re: Automating the security setup

Posted by Yusaku Sako <yu...@hortonworks.com>.

Hi Becker,

We are targeting the upcoming Ambari 2.0 for adding support to Kerberize
the cluster in an automated fashion with only a few REST API calls and user
intervention: https://issues.apache.org/jira/browse/AMBARI-7204

It would automate Kerberos client installation, principal/keytab generation
and distribution, etc., and is designed to work with an external MIT KDC as
well as Active Directory.  It would also make it much easier to handle
adding new services / hosts /components on an already Kerberized cluster.
You will not have to directly and explicitly set a bunch of Kerberos
related parameters in many configurations across different services.
The legacy implementation using the CSV file is going away.
A lot of the code to make this work is already on trunk but it is still
actively being worked on as we speak.

Yusaku

On Thu, Jan 15, 2015 at 8:29 AM, Hellmar Becker <be...@hellmar-becker.de>
wrote:

> Hello,
>
> At ING, we are currently automating deployment of a HDP-based cluster
> using Ambari blueprints and the REST API. We would like to also enable
> Kerberos based security in this way. A couple of questions:
>
> - Is it possible to enable security with a single REST call which would be
> equivalent to the "Enable Security" button in the GUI?
>
> - Or, would we need to figure out the settings for each service and
> incorporate those in our blueprint?
>
> - As for the keytab generation, Ambari creates a CSV that lists all
> principals that need keytabs, along with the locations and permissions for
> the keytab files. Can this CSV file be generated through a REST call? Or
> any other suggestions how to automate this steps?
>
> Thanks for any ideas that you can share on these issues.
>
> ========================================
> Hellmar Becker
> Edmond Audranstraat 55
> NL-3543BG Utrecht
> mail: becker@hellmar-becker.de
> mobile: +31 6 29986670
> ========================================
>
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.