Oracle Cloud Infrastructure Documentation

Configure Kerberos Authentication Using Active Directory KDC Only (Recommended)

Configure Kerberos authentication using Active Directory KDC only for Big Data Service.

The Big Data Service cluster provisions local MIT KDC by default. The Kerberos wizard can be used to disable KDC and enable the Active Directory KDC.

Enabling Kerberos Using Existing Active Directory

Enable Kerberos using existing Active Directory on a Big Data Service cluster.

Use one of the following options:

Using the enable_activedirectory Utility (recommended)

Note

Use this option for Big Data Service 3.0.27 and later.
This utility allows you to enable Kerberos using Active Directory and LDAP integration for individual services including Ambari, Hue, Ranger, and JupyterHub.
  1. Connect to the un0 node through a command shell, use using Secure Shell (SSH).
  2. Run the following command: 
    sudo enable_activedirectory

    Input Active Directory properties:

    • KDC Hosts: <AD_SERVER_FQDN>
    • Realm name: <AD_REALM_NAME>
    • LDAP url: ldaps://<AD_FQDN>:636 or ldap://<AD_FQDN>:389
    • Container DN: <AD_SEARCH_BASE>
    • Kadmin host: <AD_FQDN>:749
    • Admin principle: <AD_BIND_USER_NAME>@<AD_REALM_NAME_LOWER>
    • Admin password: <AD_BIND_USER_PWD>
    • Admin DN: CN=<username>,CN=Users,DC=<XXX>,DC=<YYY>,DC=<ZZZ>

Using Ambari

  1. Access Apache Ambari.
  2. From the side toolbar, under Cluster Admin click Kerberos.
  3. Click Enable Kerberos, and then perform the following actions:
    1. Under What type of KDC do you plan on using?, select Existing Active Directory.
    2. Under Existing Active Directory, select all the check boxes.
    3. Click Next.
  4. Configure Kerberos as follows:
    1. Input Active Directory properties:
      • KDC Hosts: <AD_SERVER_FQDN>
      • Realm name: <AD_REALM_NAME>
      • LDAP url: ldaps://<AD_FQDN>:636 or ldap://<AD_FQDN>:389
      • Container DN: <AD_SEARCH_BASE>
      • Kadmin host: <AD_FQDN>:749
      • Admin principle: <AD_BIND_USER_NAME>@<AD_REALM_NAME_LOWER>
      • Admin password: <AD_BIND_USER_PWD>
    2. Select Save Admin Credentials.
    3. Click Next.
  5. After the Kerberos service has been installed and tested successfully, click Next.
  6. To configure identities, accept the default values and click Next.
  7. Confirm the configuration:
    1. (Optional) To download a CSV file of the principles and keytabs that Apache Ambari created, click Download CSV.
    2. Review the configuration, and then click Next.
  8. Start and test services.
    If you receive errors, you can run the tests again by clicking Retry.
  9. Click Complete.

Disabling Kerberos

This applies to those clusters that have Kafka and Ranger Services installed. Disabling Kerberos on a secure/HA cluster must be done appropriately to avoid Kafka service check failure. Please use one of the following approaches.

Disabling KDC

To set up the Active Directory KDC, you must first disable the MIT KDC.

Important

If the Kafka Ranger plugin is installed, follow the steps to disable Kerberos instead.
  1. Access Apache Ambari.
  2. From the side toolbar, under Cluster Admin click Kerberos.
  3. Click Disable Kerberos.
  4. Follow the Disable Kerberos wizard, and then click Complete.

Disabling KDC when the Kafka Ranger Plugin is Installed

Method 1 (Recommended)

If Kerberos is enabled, then:

  1. Disable the Kafka Ranger plugin from Ambari:
    1. Sign in to Ambari.
    2. From the side toolbar, under Services click Ranger.
    3. Click Configs, and then click Ranger Plugin.
  2. Disable Kerberos.
  3. Enable the Kafka Ranger plugin if it is required.

Method 2

If Kerberos is currently enabled and you do not want to disable the Kafka ranger plugin, then:

  1. Go to Ranger and navigate to the policies for Kafka Service.
  2. Add public group to all - topic and all - cluster policies. If for some reason those policies do not exist, create them. The aim is to grant public group access to all topic and cluster resources needed for the Kafka service check.
  3. Disable Kerberos.
  4. Remove the public groups that were added above.

Method 3

If Kerberos is already disabled and the Kafka service check has already failed, then:

  1. Disable the Kafka Ranger plugin as mentioned under Method 1.
  2. Restart the Kafka service as required.
  3. Enable the Kafka Ranger plugin
Note

Public group access to all - topic policy is required for Kafka service check (Kafka > Actions > Run Service Check) after disabling Kerberos.