Configure Kerberos Authentication Using Active Directory KDC Only (Recommended)
Configure Kerberos authentication using Active Directory KDC only for Big Data Service.
The Big Data Service cluster provisions local MIT KDC by default. The Kerberos wizard can be used to disable KDC and enable the Active Directory KDC.
Enabling Kerberos Using Existing Active Directory
Enable Kerberos using existing Active Directory on a Big Data Service cluster.
Use one of the following options:
Using the enable_activedirectory Utility (recommended)
Use this option for Big Data Service 3.0.27 and later.
Using Ambari
Disabling Kerberos
This applies to those clusters that have Kafka and Ranger Services installed. Disabling Kerberos on a secure/HA cluster must be done appropriately to avoid Kafka service check failure. Please use one of the following approaches.
Disabling KDC
To set up the Active Directory KDC, you must first disable the MIT KDC.
- Access Apache Ambari.
- From the side toolbar, under Cluster Admin click Kerberos.
- Click Disable Kerberos.
- Follow the Disable Kerberos wizard, and then click Complete.
Disabling KDC when the Kafka Ranger Plugin is Installed
Method 1 (Recommended)
If Kerberos is enabled, then:
- Disable the Kafka Ranger plugin from Ambari:
- Sign in to Ambari.
- From the side toolbar, under Services click Ranger.
- Click Configs, and then click Ranger Plugin.
- Disable Kerberos.
- Enable the Kafka Ranger plugin if it is required.
Method 2
If Kerberos is currently enabled and you do not want to disable the Kafka ranger plugin, then:
- Go to Ranger and navigate to the policies for Kafka Service.
- Add public group to all - topic and all - cluster policies. If for some reason those policies do not exist, create them. The aim is to grant public group access to all topic and cluster resources needed for the Kafka service check.
- Disable Kerberos.
- Remove the public groups that were added above.
Method 3
If Kerberos is already disabled and the Kafka service check has already failed, then:
- Disable the Kafka Ranger plugin as mentioned under Method 1.
- Restart the Kafka service as required.
- Enable the Kafka Ranger plugin
Public group access to all - topic policy is required for Kafka service check (Kafka > Actions > Run Service Check) after disabling Kerberos.