Customizing Kerberos principals

How to configure custom service principals in Cloudera Manager.

By default, the Cloudera Manager Kerberos wizard configures CDP services to use the same Kerberos principals as the default process users. For example, the hdfs principal for the HDFS service, and the hive principal for the Hive service. The advantage to this is that when Kerberos is enabled, no HDFS directory permissions need to be changed for the new principals. You can also configure custom service principals for CDP services.

Configuring Directory Permissions

Configure the following HDFS directories to give their corresponding custom service principals read, write and execute permissions.
Service HDFS Directory
HBase HBase Root Directory
Hive
  • Hive Warehouse Directory
  • /user/principal
Impala /user/principal
MapReduce v1 /tmp/mapred
Oozie Oozie ShareLib Root Directory
Solr HDFS Data Directory
Spark on YARN
  • /user/principal
  • Spark History Location
  • Spark Jar Location

Configuring CDP Services

The following services will require additional settings if you are using custom principals.

  • HDFS - If you have enabled synchronization of HDFS and Sentry permissions, add the Hive and Impala principals to the Sentry Authorization Provider Group property.
    1. Go to the HDFS service.
    2. Click Configuration.
    3. Select Scope > HDFS Service-Wide.
    4. Select Category > Security.
    5. Locate the Sentry Authorization Provider Group property and add the custom Hive and Impala principals.
    6. Click Save Changes.
  • YARN - The principals used by YARN daemons should be part of hadoop group so that they are allowed to read JobHistory Server data.
  • Impala - If you are running the Hue service with a custom principal, configure Impala to allow the Hue principal to impersonate other users.
    1. Go to the Impala service.
    2. Click Configuration.
    3. Select Scope > Impala (Service-Wide).
    4. Select Category > Policy File-Based Sentry.
    5. Locate the Proxy User Configuration property and add the custom Hue principal.
    6. Click Save Changes.
  • Spark on YARN - The principal used by the Spark service should be part of the spark group.
  • Cloudera Management Service
    1. Go to the Cloudera Management Service.
    2. Click Configuration.
    3. Search for kerberos.
    4. Locate the Reports Manager Kerberos Principal property and set it to a principal with administrative and superuser privileges on all HDFS services.
    5. Locate the Navigator Kerberos Principal for HDFS property and set it to a principal with administrative and superuser privileges on all HDFS services.
    6. Click Save Changes.

Incompatibilities

The following features do not work with custom principals:

If you are using the Java KeyStore KMS or KeyTrustee KMS with a custom principal, you will need to add the proxy user for the custom principal to the kms-site.xml safety valve.
For example, if you’ve replaced the default oozie principal with oozieprinc, add the hadoop.kms.proxyuser.oozieprinc.groups and hadoop.kms.proxyuser.oozieprinc.hosts properties to the kms-site.xml safety valve.