How to Configure Browser-based Interfaces to Require Kerberos Authentication

Access to the web (browser-based) consoles for HTTP services, such as HDFS, MapReduce, and YARN roles can be restricted to only those users with valid Kerberos credentials.

Required Role: Configurator, Cluster Administrator, or Full Administrator

After configuring the cluster services as detailed below, the web service and the browser negotiate the authentication process using SPNEGO. After following the steps detailed below for any specific service, all browsers that connect to the service over HTTP must have their configurations modified to handle SPNEGO. See “How to Configure Browsers for Kerberos Authentication”.

To require authentication for HTTP services on the cluster, including web-based user interfaces, such as the Cloudera Manager Admin Console, among others:
  1. From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Under the Scope filter, click service_name (Service-Wide).
  4. Under the Category filter, click Security to display the security configuration options.
  5. In the Enable Kerberos Authentication for HTTP Web-Consoles setting, click the box to activate authentication requirement for the selected service_name (Service-Wide).
  6. Click Save Changes to save the change.

Cloudera Manager generates new credentials for the service. When the process finishes, restart all roles for that service.

Repeat this process for the other services for which you want to require Kerberos authentication.

Configure your browser to support authentication to the HTTP services by following the appropriate steps for your browser in “How to Configure Browsers for Kerberos Authentication”.