[
https://issues.apache.org/jira/browse/AMBARI-9783?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas updated AMBARI-9783:
---------------------------------
Description:
Provide an option for users that want to enable Kerberos in the cluster via
Ambari but do not want any automation. With this option, ambari will not
require any access to the KDC, will not install kerberos clients, will not
attempt to generate any principals or keytabs and will not distribute any
keytabs. Keytab regeneration will not be available, and when there are changes
to the cluster (add service, add/remove/change host), the user is responsible
for creating principals and making sure the appropriate keytabs are in place on
the host for proper cluster function (although Ambari should handle updating
any configs).
Effectively, this above option provides a manual Kerberos option for users that
are looking to have the similar "hands-off" ambari kerberos experience of 1.7.0
or earlier.
On the Kerberos Wizard, provide an option (below Existing MIT KDC and Existing
Active Directory):
{code}
[ ] Manage Kerberos manually
{code}
Which will send the wizard thru a path that does not prompt for KDC
information, or attempt to install clients or create principals/keytabs. The
user should have a chance to Configure Identities as part of the wizard and the
wizard will push the configs, performs restarts, etc. Users should have an
option to download a CSV of principals, keytabs, hosts, locations, permissions,
ownership.
Semi-related: as part of this work, for users that will use kerberos
automation, expose an option to not install Kerberos clients.
was:
Provide an option for users that want to enable Kerberos in the cluster via
Ambari but do not want any automation. With this option, ambari will not
require any access to the KDC, will not install kerberos clients, will not
attempt to generate any principals or keytabs and will not distribute any
keytabs. Keytab regeneration will not be available, and when there are changes
to the cluster (add service, add/remove/change host), the user is responsible
for creating principals and making sure the appropriate keytabs are in place on
the host for proper cluster function (although Ambari should handle updating
any configs).
Effectively, this above option provides a manual Kerberos option for users that
are looking to have the similar "hands-off" ambari kerberos experience of 1.7.0
or earlier.
On the Kerberos Wizard, provide an option (below Existing MIT KDC and Existing
Active Directory):
{code}
[ ] Manage Kerberos principals and keytabs manually
{code}
Which will send the wizard thru a path that does not prompt for KDC
information, or attempt to install clients or create principals/keytabs. The
user should have a chance to Configure Identities as part of the wizard and the
wizard will push the configs, performs restarts, etc. Users should have an
option to download a CSV of principals, keytabs, hosts, locations, permissions,
ownership.
Semi-related: as part of this work, for users that will use kerberos
automation, expose an option to not install Kerberos clients.
> Ability to manually enable Kerberos security
> --------------------------------------------
>
> Key: AMBARI-9783
> URL: https://issues.apache.org/jira/browse/AMBARI-9783
> Project: Ambari
> Issue Type: Epic
> Components: ambari-server, security
> Affects Versions: 2.0.0
> Reporter: Jeff Sposetti
> Assignee: Robert Levas
> Fix For: 2.1.0
>
>
> Provide an option for users that want to enable Kerberos in the cluster via
> Ambari but do not want any automation. With this option, ambari will not
> require any access to the KDC, will not install kerberos clients, will not
> attempt to generate any principals or keytabs and will not distribute any
> keytabs. Keytab regeneration will not be available, and when there are
> changes to the cluster (add service, add/remove/change host), the user is
> responsible for creating principals and making sure the appropriate keytabs
> are in place on the host for proper cluster function (although Ambari should
> handle updating any configs).
> Effectively, this above option provides a manual Kerberos option for users
> that are looking to have the similar "hands-off" ambari kerberos experience
> of 1.7.0 or earlier.
> On the Kerberos Wizard, provide an option (below Existing MIT KDC and
> Existing Active Directory):
> {code}
> [ ] Manage Kerberos manually
> {code}
> Which will send the wizard thru a path that does not prompt for KDC
> information, or attempt to install clients or create principals/keytabs. The
> user should have a chance to Configure Identities as part of the wizard and
> the wizard will push the configs, performs restarts, etc. Users should have
> an option to download a CSV of principals, keytabs, hosts, locations,
> permissions, ownership.
> Semi-related: as part of this work, for users that will use kerberos
> automation, expose an option to not install Kerberos clients.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
