Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configure Kerberos Hadoop Realm on the AD DC

Configure the Hadoop realm on the AD DC server and set up the one-way trust.

  1. Add the Hadoop Kerberos realm and KDC host to the DC:

    ksetup /addkdc $hadoop.realm $KDC-host
  2. Establish one-way trust between the AD domain and the Hadoop realm:

    netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password
  3. (Optional) If Windows clients within the AD domain need to access Hadoop Services, and the domain does not have a search route to find the services in Hadoop realm, run the following command to create a hostmap for Hadoop service host:

    ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm
    [Note]Note

    Run the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.

  4. (Optional) Define the encryption type:

    ksetup /SetEncTypeAttr $hadoop.realm $encryption_type

    Set encryption types based on your security requirements. Mismatched encryption types cause problems.

    [Note]Note

    Run ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.