Oracle Cloud Infrastructure Documentation

Updating Spnego Service Keytab to Add New Host Entry

  1. Access Apache Ambari.
  2. From the side toolbar, under Cluster Admin select Kerberos.
  3. Select General, and then select Edit.
  4. In the Spnego Principle field, enter HTTP/<ranger-lb-hostname>@{realm} Ex: HTTP/ranger-ha-lb.oraclecloud.com@${realm}.
    Note

    Copy the current value. This step is reverted to original value in a later step.
  5. Select Save, and then select Regenerate Keytabs.

    Wait for the keytabs to be generated.

  6. Repeat previous steps, and then update the Spnego Principal to the original value that you saved.
  7. Select Save, and then select Regenerate Keytabs.

    Wait for the keytabs to be generated.

    The /etc/secuity/keytabs/spnego.service.keytab now contains both the node specific host principal and the Load Balancer principal.

    Example:

    [root@example0 keytabs]# klist -kt spnego.service.keytab
Keytab name: FILE:spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 12/07/2022 08:21:13 HTTP/example0.example0pub.example0vcn.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM
   4 12/07/2022 08:21:13 HTTP/example0.example0pub.example0vcn.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM
   4 12/07/2022 08:21:13 HTTP/example0.example0pub.example0vcn.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM
   4 12/07/2022 08:21:13 HTTP/example0.example0pub.example0vcn.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM
   4 12/07/2022 08:21:13 HTTP/example0.example0pub.example0vcn.oraclevcn.com@BDSCLOUDSERVICE.ORACLE.COM
   3 12/07/2022 08:21:13 HTTP/ranger-ha-lb.oraclecloud.com@BDSCLOUDSERVICE.ORACLE.COM
   3 12/07/2022 08:21:13 HTTP/ranger-ha-lb.oraclecloud.com@BDSCLOUDSERVICE.ORACLE.COM
   3 12/07/2022 08:21:13 HTTP/ranger-ha-lb.oraclecloud.com@BDSCLOUDSERVICE.ORACLE.COM
   3 12/07/2022 08:21:13 HTTP/ranger-ha-lb.oraclecloud.com@BDSCLOUDSERVICE.ORACLE.COM
   3 12/07/2022 08:21:13 HTTP/ranger-ha-lb.oraclecloud.com@BDSCLOUDSERVICE.ORACLE.COM
  8. (Optional) Depending on the services installed, un1 won't include spnego.service.keytab. If an additional Ranger Admin is installed on un1, steps 1-7 must be ran again after Ranger Admin added to un1 node.
  9. Restart all the services that have regenerated keytabs. Otherwise, authorization fails.