cloudera.cluster.cm_kerberos module – Manage and configure Kerberos Authentication for CDP
Note
This module is part of the cloudera.cluster collection (version 5.0.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cloudera.cluster.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cloudera.cluster.cm_kerberos.
New in cloudera.cluster 5.0.0
Synopsis
Manages Kerberos authentication and configuration in Cloudera Manager.
Imports the KDC Account Manager credentials needed by Cloudera Manager to create kerberos principals.
Requirements
The below requirements are needed on the host that executes this module.
cm_client
Parameters
Parameter |
Comments |
|---|---|
Prefix used in names while creating accounts in Active Directory. The prefix can be up to 15 characters long and can be set to identify accounts used for authentication by CDH processes. Used only if |
|
Active Directory Delete Accounts on Credential Regeneration. Set this option to Used only if Choices:
|
|
Active Directory suffix where all the accounts used by CDH daemons will be created. Used only if |
|
Set this Used only if Choices:
|
|
Forces an attempt to generate the KDC Account Manager credentials even if Kerberos is already determined to be enabled. Applicable only when |
|
Custom Kerberos Keytab Retrieval Script. Specify the path to a custom script, or executable, to retrieve a Kerberos keytab. The target script should accept two arguments: a destination path for the resulting keytab and the full principal name of the owner of the keytab. |
|
Active Directory Domain Controller host override. This parameter should be used when multiple Active Directory Domain Controllers are behind a load-balancer. This parameter should be set with the address of one of them AD Domain Controller. This setting is used only while creating accounts. CDH services use the value entered in the Only applicable if |
|
KDC Admin Server Host Port number is optional and can be provided as |
|
Password of the Kerberos Account Manager to create kerberos principals. |
|
Username of the Kerberos Account Manager to create kerberos principals. The Kerberos realm must be specified in the principal name, for example |
|
KDC Server Host Port number is optional and can be provided as |
|
Type of KDC Kerberos key distribution center (KDC) used for authentication. Choices:
|
|
Enable SPNEGO/Kerberos Authentication for the Admin Console and API Choices:
|
|
Kerberos Encryption Types supported by the KDC to set in Cloudera Manager configuration. |
|
Message to log for any changes to the entity. Default: |
|
Kerberos Security Realm to set in Cloudera Manager configuration Changing this variable removes existing credentials and keytabs from Cloudera Manager and will attempt to re-generate these credentials. |
|
The declarative state of Kerberos configuration. Choices:
|
|
The CM API endpoint URL and should include scheme, host, port, and API root path. Mutually exclusive with host. |
Notes
Note
Using
purge=yeswill remove the Cloudera Manager configurations set by this module.Requires
cm_client.
See Also
See also
- cloudera.cluster.cm_config
Manage the configuration of Cloudera Manager.
Examples
- name: Enable Kerberos
cloudera.cluster.cm_kerberos:
host: example.cloudera.com
username: "jane_smith"
password: "S&peR4Ec*re"
security_realm: "CLDR.INTERNAL"
kdc_type: "Red Hat IPA"
krb_enc_types: "aes256-cts aes128-cts rc4-hmac"
kdc_admin_host: "freeipa.cldr.internal"
kdc_host: "freeipa.cldr.internal"
kdc_admin_user: "admin@CLDR.INTERNAL"
kdc_admin_password: "kdcExamplePass"
state: present
- name: Disable Kerberos
cloudera.cluster.cm_kerberos:
host: example.cloudera.com
username: "jane_smith"
password: "S&peR4Ec*re"
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Cloudera Manager Server configurations with Kerberos settings where available. Returned: always |
|
The default value. Returned: when supported |
|
A textual description of the parameter. Returned: when supported |
|
A user-friendly name of the parameters, as would have been shown in the web UI. Returned: when supported |
|
The canonical name that identifies this configuration parameter. Returned: always |
|
If applicable, contains the related configuration variable used by the source project. Returned: when supported |
|
Whether this configuration is required for the object. If any required configuration is not set, operations on the object may not work. Returned: when supported |
|
Whether this configuration is sensitive, i.e. contains information such as passwords. This parameter might affect how the value of this configuration might be shared by the caller. Returned: when supported |
|
State of the configuration parameter after validation. For example, Returned: when supported |
|
A message explaining the parameter’s validation state. Returned: when supported |
|
Whether validation warnings associated with this parameter are suppressed. In general, suppressed validation warnings are hidden in the Cloudera Manager UI. Configurations that do not produce warnings will not contain this field. Returned: when supported |
|
The user-defined value. When absent, the default value (if any) will be used. Can also be absent, when enumerating allowed configs. Returned: when supported |