Configuring Authentication in Cloudera Manager
Overview of configuring Cloudera authentication.
Cloudera clusters can be configured to use Kerberos for authentication using a manual configuration process or by using the configuration wizard available from the Cloudera Manager Admin Console. Cloudera recommends using the wizard because it automates many of the configuration and deployment tasks. In addition, enabling Kerberos the cluster using the wizard also enables Kerberos authentication for all CDP components set up on the cluster.
Cloudera Manager Kerberos Wizard Overview
The Cloudera Manager Kerberos wizard starts by verifying various details of the Kerberos instance that will be used by the cluster. Before using the wizard, be sure to gather all the details about the Kerberos service or engage the Kerberos administrator for help during this process. There are many details of the Kerberos instance, and you will need to enter them in the wizard pages.
The wizard requires a working KDC, either an MIT KDC, a FreeIPA server, or an Active Directory KDC. Make sure that the KDC is set up and working prior to starting the wizard. Administrator-level privileges to the Kerberos instance are required to complete the prompts of the wizard. If you do not have access to credentials with these privileges, the Kerberos administrator will need to assist you.
- Configures the necessary properties in all configuration
files—
core-site.xml
,hdfs-site.xml
,mapred-site.xml
, andtaskcontroller.cfg
—to set Kerberos as the authentication mechanism for the cluster - Configures the necessary properties in the
oozie-site.xml
andhue.ini
files for Oozie and Hue for Kerberos authentication - Creates principal and keytab files for core system users, such as
hdfs
andmapred
, and for CDP services - Distributes the keytab files to each host in the cluster
- Creates keytab files for
oozie
andhue
users and deploys to the appropriate hosts that support these client-focused services - Distributes a configured
krb5.conf
to all nodes in the cluster - Stops all services
- Deploys client configurations
- Restarts all services throughout the cluster
Keytab file for... | Principals |
---|---|
hdfs |
hdfs , host
|
mapred |
mapred , host |
oozie |
oozie , HTTP |
hue |
hue |
The host
principal is the same in both
hdfs
and mapred
keytab files.
After making the configuration changes and deploying the keytabs, and configuration files to the appropriate nodes in the cluster, Cloudera Manager starts all services to stand up the cluster.
-
To use the Kerberos configuration wizard, see
Enabling Kerberos Authentication for CDP
. - To configure Kerberos authentication manually, see
How to Configure Clusters to Use Kerberos for Authentication
.