Step 1: Verify Requirements and Assumptions
- The Kerberos instance has been setup, is running, and is available during the configuration process.
- The Cloudera cluster has been installed and is operational, with all services fully-functional—Cloudera Manager Server, CDP, and Cloudera Manager Agent processes on all cluster nodes.
Hosts Configured for AES-256 Encryption
By default, CentOS and RHEL 6 (and higher) use AES-256 encryption for Kerberos tickets.
If you use either of these platforms for your cluster, the Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction Policy File
must be installed on all cluster
hosts.
- Download the
jce_policy-x.zip
- Unzip the file
- Follow the steps in the
README.txt
to install it.
Required Administrator Privileges
- Cluster Administrator or Full Administrator
- Kerberos administrator privileges:
someone/admin@YOUR-DOMAIN.FQDN.EXAMPLE.COM
If you do not have administrator privileges on the Kerberos instance, you will need help from the Kerberos administrator before you can complete the process.
Required User (Service Account) Directories
During installation, the cloudera-scm
account is
created on the host system. When Cloudera Manager and CDP services are
installed at the same time, Cloudera Manager creates other accounts as
needed to support the service role daemons. However, if the CDP
services and Cloudera Manager are installed separately, you may need
to specifically set directory permissions for certain Hadoop user
(service daemon) accounts for successful integration with Kerberos.
The following table shows the accounts used for core service roles.
Note that hdfs
acts as superuser for the system.
User | Service Roles |
---|---|
hdfs |
NameNode, DataNodes, Secondary NameNode (and HDFS superuser) |
mapred |
JobTracker, TaskTrackers (MR1), Job History Server (YARN) |
yarn |
ResourceManager, NodeManager (YARN) |
oozie |
Oozie Server |
hue |
Hue Server, Beeswax Server, Authorization Manager, Job Designer |
- For newly installed Cloudera clusters (Cloudera Manager and CDP installed at the same time)—The Cloudera Manager Agent process on each cluster host automatically configures the appropriate directory ownership when the cluster launches.
- For existing CDP clusters using HDFS and running MapReduce jobs prior to Cloudera Manager installation—The directory ownership must be manually configured, as shown in the table below. The directory owners cannot differ from those shown in the table to ensure that the service daemons can set permissions as needed on each directory.
Directory Specified in this Property | Owner |
---|---|
dfs.name.dir |
hdfs:hadoop |
dfs.data.dir |
hdfs:hadoop |
mapred.local.dir |
mapred:hadoop |
mapred.system.dir in HDFS |
mapred:hadoop |
yarn.nodemanager.local-dirs |
yarn:yarn |
yarn.nodemanager.log-dirs |
yarn:yarn |
oozie.service.StoreService.jdbc.url (if
using Derby) |
oozie:oozie |
[[database]] name |
hue:hue |
javax.jdo.option.ConnectionURL |
hue:hue |