This task should list all the steps to take before enabling Kerberos:
- Create user principals for various teams - T237605
- Create and deploy keytabs for all Hadoop daemons
- preliminary list in https://wikitech.wikimedia.org/wiki/Analytics/Systems/Kerberos#List_of_principals_and_their_keytabs_for_Hadoop
- Create and deploy system users and their keytabs to hosts (like analytics-search, etc..)
- T238306
- Kerberize all the nodes that will need it, and deploy keytabs generated in the above step (This can be done separately and it is good to test if kerberos works on all the nodes).
- Add analytics users (without SSH access) to all Hadoop worker nodes
- Add TLS keys for Master nodes if needed (may be needed only for workers, to be checked)
- Add druid and analytics search system users to all Hadoop worker nodes
- Disable Meta DB backup to HDFS
- T231208
- Find a solution for labstore crons
- T234229
- Test kerberos with Presto (https://prestodb.github.io/docs/current/security/server.html)
- Create Oozie automation to get a snapshot of the current jobs and restart them
- T237271
- Prepare Puppet patches to enable kerberos
- https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/549566/
- TODO: add steps/patches for labstore crons
- Prepare a Refinery patch to add credentials to hive2 and spark actions.
- https://gerrit.wikimedia.org/r/#/c/analytics/refinery/+/550945/