hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From radarwave <...@git.apache.org>
Subject [GitHub] incubator-hawq-docs pull request #131: Document extending KDC ticket interva...
Date Wed, 11 Oct 2017 10:07:43 GMT
Github user radarwave commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143965363
  
    --- Diff: markdown/clientaccess/kerberos.html.md.erb ---
    @@ -697,3 +753,172 @@ Follow these steps to install and configure a Kerberos KDC server
on a Red Hat E
         root@kdc-server$ /sbin/chkconfig krb5kdc on
         root@kdc-server$ /sbin/chkconfig kadmin on
         ```
    +    
    +### <a id="task_setup_kdc_ad"></a>Install and Configure KDC Server on Active
Directory
    +
    +Follow these steps to install and configure a Kerberos KDC server on a Windows host with
Active Directory. 
    +
    +1. Log into the Windows server as a user with administrator permissions. 
    +
    +2. From the **Start** menu, select **Control Panel** \> **Adminisrative Tools** \>
**Active Directory Users and Computers**. 
    +
    +   Note: If there is no entry for **Active Directory Users and Computers**, Active Directory
service may not have been correctly installed. 
    +
    +3. Go to the DATALOCAL entry in the directory tree of the **Active Directory Users and
Computers** window and  right click on **Managed Service Accounts**. 
    +
    +4.  Select **New** \> **User**.
    +
    +5.  A **New Object - User** popup window will appear. In the **First name:** window,
enter `gpadmin` and also enter `gpadnub` as the **User logon name**.
    +
    +6. Click **Next**. Create and confirm a password. Enable the checkbox for **Password
never expires**. Click **Next**, then **Finish**. 
    +
    +7. Log into Windows as Administrator. Depending on your Windows environment, either open
a Windows power shell or click **Start** and open a command prompt session and select **Run
as Administrator** \> **Yes** to open an administrator window.
    +
    +8. Add a Service Principal Name (SPN) for the account just created:
    +
    +   ``` shell
    +   PS C:\Users\Administrator> setspn -A postgres/hdp3.example.com gpadmin
    +   ```
    +   
    +9. Generate a keytab file by using the `ktpass` command. This command takes the form:
    +
    +   ``` shell
    +   ktpass -princ postgres/<FQDN of HDB master> -pass <password> -mapuser
<Managed Service Account name> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out <keytab
filename> -kvno 0 
    +   ```
    +   For example, to create `hdp3.keytab` for gpadmin on hdp3.mydomain.com@DATA.LOCAL:
    +   
    +   ``` shell
    +   PS C:\Users\Administrator> ktpass -princ postgres/hdp3.mydomain.com@DATA.LOCAL
-pass abcd1234 -mapuser gpadmin -crypto ALL -ptype KRB5_NT_PRINCIPAL -out hdp3.keytab -kvno
0
    +   
    +   Targeting domain controller: WIN-TIH2EBEERUK.DATA.LOCAL
    +   
    +   Using legacy password setting method
    +   Key created.
    +   Key created.
    +   Key created.
    +   Key created.
    +   Key created.
    +   Output keytab to hdp3.keytab:
    +   Keytab version: 0x502
    +   keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0
etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8d0405789a8469e)
    +keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype
0x3 (DES-CBC-MD5) keylength 8 (0xa8d0405789a8469e)
    +keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype
0x17 (RC4-HMAC) keylength 16 (0x161cff084477fe596a5db81874498a24)
    +keysize 85 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype
0x12 (AES256-SHA1) keylength 32 (0x20648bd82de77bf66a1dcac4b3050bc308f2cc38f4a13e814ad5bd30e67ef388)
    +keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype
0x11 (AES128-SHA1) keylength 16 (0xa026bb25aa495af5334cd4f185d33071):
    +   ```
    +   
    +10. Transfer the generated keytab file to the HDB master. For example:
    +
    +    ``` shell
    +    root@kdc-server$ scp /etc/ad_keytab/keytabs/hawq.service.keytab <master>:/etc/ad_keytab/keytabs/hawq.service.keytab
    +    ```
    +Change the ownership of the keytab file to `gpadmin:gpadmin` and the mode to `600`. 
    +
    +
    +    ``` shell
    +    root@kdc-server$ ssh <master> chown gpadmin:gpadmin /etc/ad_keytab/keytabs/hawq.service.keytab
    +    root@kdc-server$ ssh <master> chmod 600 /etc/ad_keytab/keytabs/hawq.service.keytab
    +    ```
    +    
    +***Can you use automated kerberos setup on Ambari?**
    +
    +11. Log into HAWQ through the administrator window and install the Kerberos packages
on the HAWQ master. 
    +
    +12. Change the ticket renewal interval.
    +
    +13. Edit the `.etc/krb5.conf` configuration file to define the Kerberos realm for the
cluster. 
    +
    +   **Can you set up with PS C:\Users\Administrator> ? What if you use Ambari? This
page has commands for Powershell: 
    +   https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/**
    --- End diff --
    
    We can remove reference of this link as it's kind of out of date and do not have too much
valuable for our settings. 


---

Mime
View raw message