It is well documented that Isilon requires valid SAMAccount Names in Active Directory (AD) to support the Kerberization of Ambari based HDP clusters, the installation guides illustrate this behavior in detail and describe how we usually make manual modifications to AD to meet this requirement, the approach illustrated here shows how Ambari can be modified to make the required updates for us.

 

Review the following documents for additional details on the overall Kerberization integration.

 

 

Historically the modifications to the SAMAccount Name attribute on the Ambari UPN's has been a manual process but using a modification to the Kerberization template we can automate this process relatively easily.

 

The general approach used is to create a unique UPN and SAMAccount name by appending a cluster-specific suffix to each principal to facilitate multitenancy as described in the docs.

 

The field used in the Kerberos Wizard to do this is the Principal Suffix, this is appended to the end of all the Ambari generated Principals using the variable: -${cluster_name|toLower()}

 

3.png

 

This variable is the deployed Hortonworks Hadoop cluster name by default, it is important to note that the UPN's have no real character limit (255 characters)  but SAMAccount Name does (20 characters) Since the generated user is a combination of the username of the account + suffix we have to account for this constraint when using the default value.

 

If the clustername is short; 3 or 4 characters as an example then the default clustername value will work fine as no principals generated will be greater than 20 characters and it will be successful. Alternatively is the clustername is long, greater than 5 characters then principals may exceed the limit and kerberization will fail. If the clustername is long, it is suggested to use a unique abbreviation to represent the clustername suffix, in this case, you can just modify the suffix variable directly before running the wizard.

 

 

 

examples:

clustername = HDP2  - default clustername principal suffix will be: username-hdp2 - < 20 Characters, VALID

clustername = HortonworksPROD2  - principal suffix will be: username-hortonworksprod2   - > 20 Charcters, INVALID

clustername = HortonworksPROD2  - principal suffix manually modified to hwx2: username-hwx2 - < 20 Characters, VALID

 

When manually overriding the default value of -${cluster_name|toLower()} you must use a unique identify and use a lowercase suffix.

 

example: clustername HortonworksPROD2 - modified to the hwx2

1.png

 

 

Usually, the Ambari wizard just creates a random 20 character string for the SAMAccount Name when generating the AD principals. Since it's a required field in AD and Ambari or HDP doesn't use this field a unique random name is fine, but as described in the Isilon installation guides OneFS uses this attribute for user lookup, therefore, we need mapping rules to map Isilon accounts to these SAMAccount Names and using a simple name the same as the UPN is the recommended approach. This is similar to the Ambari Kerberos mapping rules,

 

Modifications to the Ambari Kerberos configuration can remove the dependency of making manual edits to these attributes and instruct the wizard to create matching SAMAccount Names based on the UPN username.

 

Having validated our principal suffix will be valid, as above.

 

A simple modification to the Kerberos template is needed, expand the Advanced kerberos-env section in the Kerberos tab. This can be done on initial kerberization on a regeneration of principals, but once the template modifications are made they are persistent.

 

1.png

 

 

Find the Account Attribute Template, and add the following lines below the "servicePrincipalName": "$principal_name", line

 

 

 

#else

  "sAMAccountName": "$principal_primary",

 

 

 

The updated template, with the added attributes.

2.png

 

With the template additions and a valid suffix, you can complete the Kerberization wizard as normal, following the installation guides.

 

 

4.png

 

The wizard successfully creates the UPN and SPN's in AD

 

5.png

 

 

When looking at the Ambari UPN's, we now see the SAMAccount Name attribute is consistent with the user logon name and is not a random name.

 

6.png

 

 

7.png

 

 

This template has no effect on the SPN's created by the wizard since Isilon does not map these SPN's we can leave them as a random name as seen below.

 

8.png

 

 

9.png

 

 

Additional Steps That Must be Completed When Using This Approach:

To complete the setup with Isilon, mapping rules need to be added to the OneFS Access Zone to map the local Isilon service accounts to these UPN's. see the doc for additional details: Isilon OneFS with Ambari Multi-Tenant Active Directory Integration Guide

 

 

 

 

This approach simplifies the Ambari Kerberos integration with Isilon and requires less manual modifications within AD making the approach easier and less complex to complete.

 

 

 

 

 

Isilon

Using Hadoop with Isilon - Isilon Info Hub

russ_stevenson