Oracle Cloud Infrastructure Documentation

Configure Kerberos Authentication Using Active Directory KDC Only (Recommended)

Configure Kerberos authentication using Active Directory KDC only for Big Data Service.

The Big Data Service cluster provisions local MIT KDC by default. The Kerberos wizard can be used to disable KDC and enable the Active Directory KDC.

Enabling Kerberos Using Existing Active Directory

Enable Kerberos using existing Active Directory on a Big Data Service cluster.

Use one of the following options:

Using the enable_activedirectory Utility for Big Data Service 3.0.27 and later (recommended)

Use the enable_activedirectory utility to enable Kerberos using Active Directory and LDAP integration for individual services including Ambari, Hue, Ranger, and JupyterHub.

Note

  • Use this option for Big Data Service 3.0.27 and later.
  • If you're configuring Ranger for LDAP integration, ensure that the Active Directory (AD) bind user password only contains the following characters:
    • Alphanumeric: A–Z, a–z, 0–9
    • Special characters: []{}|;:,./<>?~!@#$%^&*()_+-=~
  1. Connect to the un0 node through a command shell, using Secure Shell (SSH).
  2. Run the following command: 
    sudo enable_activedirectory

    Input Active Directory properties:

    • KDC Hosts: <AD_SERVER_FQDN>
    • Realm name: <AD_REALM_NAME>
    • LDAP url: ldaps://<AD_FQDN>:636 or ldap://<AD_FQDN>:389
    • Container DN: <AD_SEARCH_BASE>
    • Kadmin host: <AD_FQDN>:749
    • Admin principle: <AD_BIND_USER_NAME>@<AD_REALM_NAME_LOWER>
    • Admin password: <AD_BIND_USER_PWD>
    • Admin DN: CN=<username>,CN=Users,DC=<XXX>,DC=<YYY>,DC=<ZZZ>
    You can also explicitly specify services with the -s option:
    sudo enable_activedirectory -s <space separated services>

    The available options are: Kerberos Ambari Hue Ranger.

    Note

    • For Big Data Service BDS 3.1.1 and earlier, Kerberos can't be specified with -s. Instead, use: 
      sudo enable_activedirectory -ot enableKerberosWithAD
    • For JupyterHub, you'll need to manually configure authentication with LDAP/Active Directory.

Updating Active Directory Bind User Passwords Using the enable_activedirectory Utility

Use the enable_activedirectory utility to update a configured Active Directory (AD) bind user password in LDAP-integrated services when the AD user's password is changed or rotated.

Note

Use this option for Big Data Service 3.3.0 and later.
  1. Connect to the un0 node through a command shell, use using Secure Shell (SSH).
  2. To update the same password for all services (Kerberos, Ambari, Hue, Ranger) in one go, run this command: 
    sudo enable_activedirectory -u

    Enter this information:

    • Ambari password: <AMBARI_ADMIN_PWD>
    • AD Bind User Password: <AD_BIND_USER_PWD>
  3. To update specific services, use the -s option: 
    sudo enable_activedirectory -u -s <space separated services>
    The available options are: Kerberos Ambari Hue Ranger.
    Note

    • Without -s (no services specified), the utility applies the same AD bind user password to all supported services.
    • With many services specified in -s (space-separated), the same AD bind user password is applied to those services only. For example: 
      sudo enable_activedirectory -u -s Ranger Hue Ambari
    • If different services require different AD bind users or passwords, run the utility separately for each service. For example,
      sudo enable_activedirectory -u -s Ranger
    • You don't need to update JupyterHub configuration when an Active Directory (AD) user's password is changed or rotated. JupyterHub uses direct-bind for LDAP authentication, so AD users can successfully sign in both before and after their password changes

Using Ambari

  1. Access Apache Ambari.
  2. From the side toolbar, under Cluster Admin select Kerberos.
  3. Select Enable Kerberos, and then perform the following actions:
    1. Under What type of KDC do you plan on using?, select Existing Active Directory.
    2. Under Existing Active Directory, select all the check boxes.
    3. Select Next.
  4. Configure Kerberos as follows:
    1. Input Active Directory properties:
      • KDC Hosts: <AD_SERVER_FQDN>
      • Realm name: <AD_REALM_NAME>
      • LDAP url: ldaps://<AD_FQDN>:636 or ldap://<AD_FQDN>:389
      • Container DN: <AD_SEARCH_BASE>
      • Kadmin host: <AD_FQDN>:749
      • Admin principle: <AD_BIND_USER_NAME>@<AD_REALM_NAME_LOWER>
      • Admin password: <AD_BIND_USER_PWD>
    2. Select Save Admin Credentials.
    3. Select Next.
  5. After the Kerberos service has been installed and tested successfully, select Next.
  6. To configure identities, accept the default values and select Next.
  7. Confirm the configuration:
    1. (Optional) To download a CSV file of the principles and keytabs that Apache Ambari created, select Download CSV.
    2. Review the configuration, and then select Next.
  8. Start and test services.
    If you receive errors, you can run the tests again by selecting Retry.
  9. Select Complete.

Disabling Kerberos

This applies to those clusters that have Kafka and Ranger Services installed. Disabling Kerberos on a secure/HA cluster must be done appropriately to avoid Kafka service check failure. Please use one of the following approaches.

Disabling KDC

To set up the Active Directory KDC, you must first disable the MIT KDC.

Important

If the Kafka Ranger plugin is installed, follow the steps to disable Kerberos instead.
  1. Access Apache Ambari.
  2. From the side toolbar, under Cluster Admin select Kerberos.
  3. Select Disable Kerberos.
  4. Follow the Disable Kerberos wizard, and then select Complete.

Disabling KDC when the Kafka Ranger Plugin is Installed

Method 1 (Recommended)

If Kerberos is enabled, then:

  1. Disable the Kafka Ranger plugin from Ambari:
    1. Sign in to Ambari.
    2. From the side toolbar, under Services select Ranger.
    3. Select Configs, and then select Ranger Plugin.
  2. Disable Kerberos.
  3. Enable the Kafka Ranger plugin if it's required.

Method 2

If Kerberos is currently enabled and you don't want to disable the Kafka ranger plugin, then:

  1. Go to Ranger and navigate to the policies for Kafka Service.
  2. Add public group to all - topic and all - cluster policies. If for some reason those policies don't exist, create them. The aim is to grant public group access to all topic and cluster resources needed for the Kafka service check.
  3. Disable Kerberos.
  4. Remove the public groups that were added above.

Method 3

If Kerberos is already disabled and the Kafka service check has already failed, then:

  1. Disable the Kafka Ranger plugin as mentioned under Method 1.
  2. Restart the Kafka service as required.
  3. Enable the Kafka Ranger plugin
Note

Public group access to all - topic policy is required for Kafka service check (Kafka > Actions > Run Service Check) after disabling Kerberos.