Kadmin can not create principle but kadmin.local can
I am enabling security mode on Cloudera 5 beta. with cloudera manager and after performing 8th step of security enabling document from here cloudera manager should fire Generate Credential command but it is not.
so what i am doing is to run the Generate Credential manually but it is giving me error inlogs ie.
KADMIN='kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/[email protected] -r IMP.CO.IN'
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/[email protected] -r IMP.CO.IN -q 'addprinc -randkey hue/[email protected]'
WARNING: no policy specified for hue/[email protected]; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "hue/[email protected]".
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/[email protected] -r IMP.CO.IN -q 'xst -k /tmp/cmf4198733808580266866.keytab hue/[email protected]'
kadmin: Operation requires ``change-password'' privilege while changing hue/[email protected]'s key
+ chmod 600 /tmp/cmf4198733808580266866.keytab
chmod: cannot access `/tmp/cmf4198733808580266866.keytab': No such file or directory
it seems that kadmin can not create principle.
my question is how can i give kadmin add principle privilege or how can i run this command using kadmin.local?
is there any way so i can get out of from this problem...
Answer
Some configuration are needed for providing a user principal to create any principle by using kadmin.
One has to edit kadm5.acl file and add below entry in kadm5.acl file:
*/[email protected]
Here * represents the wildcard, So the user principal who matches the string as provided in kadm5.acl will be able to create any principal for example:
root/[email protected]
After changing configuration one need to restart the Kerberos for taking the changes in effect. For more details refer this