Certain configuration changes should be avoided when regenerating keytab files during different scenarios.
For example, existing non-Kerberos configurations should not be changed during the regenerate keytabs operation performed during an upgrade. However it is necessary for Kerberos identity-related configurations (such as keytab file paths and principal names) to be added and updated; as well as allow for new Kerberos-related configurations to be added.
To allow for this, a new update configuration policy value has been added to the set of directives (config_update_policy) allowed when issuing a call to regenerate keytab files. This directive replaces the less flexible ignore_config_updates directive which only allows a user to enable or disable the ability for the operation to change configurations. The values allowed for config_update_policy are as follows:
- none - No configurations will be updated
- identities_only - New and updated configurations related to Kerberos identity information - principal, keytab file, and auth-to-local rule properties
- new_and_identities - Only new configurations declared by the Kerberos descriptor and stack advisor as well as the identity-related changes
- all - All configuration changes
During an upgrade, the update configuration policy is set to new_and_identities.