cloudera.cluster.cm_kerberos module – Manage and configure Kerberos Authentication for CDP

Note

This module is part of the cloudera.cluster collection (version 5.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cloudera.cluster. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cloudera.cluster.cm_kerberos.

New in cloudera.cluster 5.0.0

Synopsis

  • Manages Kerberos authentication and configuration in Cloudera Manager.

  • Imports the KDC Account Manager credentials needed by Cloudera Manager to create kerberos principals.

Requirements

The below requirements are needed on the host that executes this module.

  • cm_client

Parameters

Parameter

Comments

ad_account_prefix

string

Prefix used in names while creating accounts in Active Directory.

The prefix can be up to 15 characters long and can be set to identify accounts used for authentication by CDH processes.

Used only if kdc_type='Active Directory'.

ad_delete_on_regenerate

boolean

Active Directory Delete Accounts on Credential Regeneration.

Set this option to true if regeneration of credentials should automatically delete the associated Active Directory accounts.

Used only if kdc_type='Active Directory'.

Choices:

  • false

  • true

ad_kdc_domain

string

Active Directory suffix where all the accounts used by CDH daemons will be created.

Used only if kdc_type='Active Directory'.

ad_set_encryption_types

boolean

Set this true if creation of Active Directory accounts should automatically turn on the associated encryption types represented by the msDS-EncryptionTypes field.

Used only if kdc_type='Active Directory'.

Choices:

  • false

  • true

force

string

Forces an attempt to generate the KDC Account Manager credentials even if Kerberos is already determined to be enabled.

Applicable only when state is present.

gen_keytab_script

string

Custom Kerberos Keytab Retrieval Script.

Specify the path to a custom script, or executable, to retrieve a Kerberos keytab.

The target script should accept two arguments: a destination path for the resulting keytab and the full principal name of the owner of the keytab.

kdc_account_creation_host_override

string

Active Directory Domain Controller host override.

This parameter should be used when multiple Active Directory Domain Controllers are behind a load-balancer.

This parameter should be set with the address of one of them AD Domain Controller.

This setting is used only while creating accounts. CDH services use the value entered in the kdc_host while authenticating.

Only applicable if kdc_type='Active Directory'

kdc_admin_host

string

KDC Admin Server Host

Port number is optional and can be provided as hostname:port

kdc_admin_password

string

Password of the Kerberos Account Manager to create kerberos principals.

kdc_admin_user

string

Username of the Kerberos Account Manager to create kerberos principals.

The Kerberos realm must be specified in the principal name, for example username@CLDR.EXAMPLE.

kdc_host

string

KDC Server Host

Port number is optional and can be provided as hostname:port

kdc_type

string

Type of KDC Kerberos key distribution center (KDC) used for authentication.

Choices:

  • "MIT KDC"

  • "Active Directory"

  • "Red Hat IPA"

krb_auth_enable

boolean

Enable SPNEGO/Kerberos Authentication for the Admin Console and API

Choices:

  • false

  • true

krb_enc_types

list / elements=string

Kerberos Encryption Types supported by the KDC to set in Cloudera Manager configuration.

message

aliases: msg

string

Message to log for any changes to the entity.

Default: "Managed by Ansible"

security_realm

string

Kerberos Security Realm to set in Cloudera Manager configuration

Changing this variable removes existing credentials and keytabs from Cloudera Manager and will attempt to re-generate these credentials.

state

string

The declarative state of Kerberos configuration.

Choices:

  • "present" ← (default)

  • "absent"

url

aliases: endpoint, cm_endpoint_url

string

The CM API endpoint URL and should include scheme, host, port, and API root path.

Mutually exclusive with host.

Notes

Note

  • Using purge=yes will remove the Cloudera Manager configurations set by this module.

  • Requires cm_client.

See Also

See also

cloudera.cluster.cm_config

Manage the configuration of Cloudera Manager.

Examples

- name: Enable Kerberos
  cloudera.cluster.cm_kerberos:
    host: example.cloudera.com
    username: "jane_smith"
    password: "S&peR4Ec*re"
    security_realm: "CLDR.INTERNAL"
    kdc_type: "Red Hat IPA"
    krb_enc_types: "aes256-cts aes128-cts rc4-hmac"
    kdc_admin_host: "freeipa.cldr.internal"
    kdc_host: "freeipa.cldr.internal"
    kdc_admin_user: "admin@CLDR.INTERNAL"
    kdc_admin_password: "kdcExamplePass"
    state: present

- name: Disable Kerberos
  cloudera.cluster.cm_kerberos:
    host: example.cloudera.com
    username: "jane_smith"
    password: "S&peR4Ec*re"
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cm_config

list / elements=dictionary

Cloudera Manager Server configurations with Kerberos settings where available.

Returned: always

default

string

The default value.

Returned: when supported

description

string

A textual description of the parameter.

Returned: when supported

display_name

string

A user-friendly name of the parameters, as would have been shown in the web UI.

Returned: when supported

name

string

The canonical name that identifies this configuration parameter.

Returned: always

string

If applicable, contains the related configuration variable used by the source project.

Returned: when supported

required

boolean

Whether this configuration is required for the object.

If any required configuration is not set, operations on the object may not work.

Returned: when supported

sensitive

boolean

Whether this configuration is sensitive, i.e. contains information such as passwords.

This parameter might affect how the value of this configuration might be shared by the caller.

Returned: when supported

validate_state

string

State of the configuration parameter after validation.

For example, OK, WARNING, and ERROR.

Returned: when supported

validation_message

string

A message explaining the parameter’s validation state.

Returned: when supported

validation_warnings_suppressed

boolean

Whether validation warnings associated with this parameter are suppressed.

In general, suppressed validation warnings are hidden in the Cloudera Manager UI.

Configurations that do not produce warnings will not contain this field.

Returned: when supported

value

string

The user-defined value.

When absent, the default value (if any) will be used.

Can also be absent, when enumerating allowed configs.

Returned: when supported

Authors

  • Jim Enright (@jimright)