You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Yuanxinen <yu...@huawei.com> on 2017/08/15 08:05:03 UTC
User Management with kerboes
Hi
I would like to know about following, can somebody direct me..?
1) is there any REST API to create/get username and keytab..?
2) Or is there any custom API to implement this..?
Is it already available o going to develop in future..?
Regards
Xinen Yuan
答复: User Management with kerboes
Posted by Yuanxinen <yu...@huawei.com>.
Hi Rob
Thank you for your replying.
I installed one Hdp 2.6,and other application want to use hdp service,lile hdfs filesystem ,hbase database and hive database.So this application need one Kerberos user pricinple and its keytab.
But now there are not REST APIs for creating the Kerberos user pricinple and downing its keytabs by ambary UI or REST APIS,and I do this manuly by Kerberos client.
So I want to check if there is any REST API to create/get username and keytab..?
If not, if I want to impement this apis,is there any custom API to implement this in ambari?
Or is there a plan to support for ambary?
Regards
Xinen Yuan
发件人: Robert Levas [mailto:rlevas@hortonworks.com]
发送时间: 2017年8月15日 20:30
收件人: user@ambari.apache.org
主题: Re: User Management with kerboes
Hi Xinen
Can you clarify what you are trying to (or work like to) do?
Ambari is not a general identity management system. Therefore, it does not have facilities to create just any identity (usernames, passwords, keytabs). It really only knows how to create the identities that it needs for the installed services when Kerberos is enabled.
If you are trying to get around using some LDAP or Active Directory interface, you can try the steps in the following article that shows how to create accounts using the OpenLDAP command line utilities - https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.html.
If you are looking to get information on what identities Ambari will create you can issue one of a few API calls. If Kerberos has not yet been enabled, you can get the stack-level Kerberos descriptor (which serves as the base set of instructions for enabling Kerberos) by issuing the following API call:
http://AMBARI_SERVER_HOST:PORT/api/v1/stacks/HDP/versions/2.6/artifacts/kerberos_descriptor
replacing AMBARI_SERVER_HOST and PORT as well as the relevant stack information.
Or more simply, if a cluster has been installed:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/STACK
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
If Kerberos has already been enabled, you can get the composite Kerberos descriptor (a combination of the base instructions with the user-suppled changes to it) by issuing the following API call:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
Finally, if you want to see just the user-suppled changes, you can do:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
For more information on the Kerberos descriptor, you can take a look at https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/kerberos_descriptor.md.
For manually updating the user-supplied Kerberos descriptor, you can take a look at https://community.hortonworks.com/content/kbentry/89713/updating-the-user-sepecified-kerberos-descriptor.html.
I hope this helps,
Rob
From: Yuanxinen <yu...@huawei.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Tuesday, August 15, 2017 at 4:05 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: User Management with kerboes
Hi
I would like to know about following, can somebody direct me..?
1. is there any REST API to create/get username and keytab..?
2. Or is there any custom API to implement this..?
Is it already available o going to develop in future..?
Regards
Xinen Yuan
Re: User Management with kerboes
Posted by Robert Levas <rl...@hortonworks.com>.
Hi Xinen
Can you clarify what you are trying to (or work like to) do?
Ambari is not a general identity management system. Therefore, it does not have facilities to create just any identity (usernames, passwords, keytabs). It really only knows how to create the identities that it needs for the installed services when Kerberos is enabled.
If you are trying to get around using some LDAP or Active Directory interface, you can try the steps in the following article that shows how to create accounts using the OpenLDAP command line utilities - https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.html.
If you are looking to get information on what identities Ambari will create you can issue one of a few API calls. If Kerberos has not yet been enabled, you can get the stack-level Kerberos descriptor (which serves as the base set of instructions for enabling Kerberos) by issuing the following API call:
http://AMBARI_SERVER_HOST:PORT/api/v1/stacks/HDP/versions/2.6/artifacts/kerberos_descriptor
replacing AMBARI_SERVER_HOST and PORT as well as the relevant stack information.
Or more simply, if a cluster has been installed:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/STACK
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
If Kerberos has already been enabled, you can get the composite Kerberos descriptor (a combination of the base instructions with the user-suppled changes to it) by issuing the following API call:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/COMPOSITE
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
Finally, if you want to see just the user-suppled changes, you can do:
http://AMBARI_SERVER_HOST:PORT/api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER
replacing AMBARI_SERVER_HOST, PORT, and CLUSTER_NAME.
For more information on the Kerberos descriptor, you can take a look at https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/kerberos_descriptor.md.
For manually updating the user-supplied Kerberos descriptor, you can take a look at https://community.hortonworks.com/content/kbentry/89713/updating-the-user-sepecified-kerberos-descriptor.html.
I hope this helps,
Rob
From: Yuanxinen <yu...@huawei.com>
Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
Date: Tuesday, August 15, 2017 at 4:05 AM
To: "user@ambari.apache.org" <us...@ambari.apache.org>
Subject: User Management with kerboes
Hi
I would like to know about following, can somebody direct me..?
1. is there any REST API to create/get username and keytab..?
2. Or is there any custom API to implement this..?
Is it already available o going to develop in future..?
Regards
Xinen Yuan