Updating the Kerberos principal

If you edit the BDD principal or create a new one, you can use the bdd-admin script to publish your changes to the rest of the cluster.

1. On the Admin Server, edit the current BDD principal or create a new one.
   Be sure to keep the primary component of the principal the same as the original.
2. Go to $BDD_HOME/BDD_manager/bin and run:

   ./bdd-admin.sh publish-config kerberos -p <principal>

   Where <principal> is the name of the new or modified principal.
3. Restart your cluster so the changes take effect:

   ./bdd-admin.sh restart

   The above command will shut the cluster down gracefully, which may take a long time. You can optionally specify -t <minutes> to force a shutdown sooner.
4. On each Transform Service node, restart k5start with the new principal by running the following command from $BDD_HOME/transformservice/:

   ./k5start -f $KERBEROS_KEYTAB_PATH -K <ticket_refresh> 
   -l <ticket_lifetime> $KERBEROS_PRINCIPAL -b > <logfile> 2>&1

   Where:

   • $KERBEROS_KEYTAB_PATH and $KERBEROS_PRINCIPAL are the values of those properties defined in bdd.conf. Be sure to use the name of the new principal.
   • <ticket_refresh> is the rate at which the Transform Service's Kerberos ticket is refreshed, in minutes. For example, a value of 60 would set its ticket to be refreshed every 60 minutes, or every hour. You can optionally use the value for KERBEROS_TICKET_REFRESH_INTERVAL in bdd.conf.
   • <ticket_lifetime> is the amount of time the Transform Service's Kerberos ticket is valid for. This should be given as a number followed by a supported unit of time: s, m, h, or d. For example, 10h (10 hours) or 10m (10 minutes). You can optionally use the value for KERBEROS_TICKET_LIFETIME in bdd.conf.
   • <logfile> is the absolute path to the log file you want k5start to write to.