Adding trusted realms to the cluster
How to specify trusted realms in Cloudera Manager.
The Kerberos instance associated with a given cluster has its REALM-NAME
specified as the default_realm
in the Kerberos configuration file
(krb5.conf
) on the cluster's NameNode. Rules defined in the
hadoop.security.auth_to_local
property translate the Kerberos principals
to local account names at the host
level.
The default rules simply remove the @REALM
portion of the Kerberos
principal and leave the short name.
To allow principals from other realms to use the cluster, the trusted realms must be specified in Cloudera Manager. For example, the Kerberos realm used by your cluster may have a trust relationship to a central Active Directory or MIT Kerberos realm. Add the central realm to the cluster as detailed in the following steps so that Cloudera Manager can apply the appropriate mapping rules to the principals from the trusted realm to access the cluster's services.
To specify trusted realms using Cloudera Manager:
For each trusted realm identified in Trusted Kerberos Realms, default
mapping rules automatically strip the REALM name. To customize the mapping rules, specify
additional rules in the Additional Rules to Map Kerberos Principals to Short
Names setting, one rule per line. Cloudera Manager will wrap each rule in the
appropriate XML tags and add to the generated core-site.xml
file. To create
custom rules and translate translate mixed-case Kerberos principals to lower-case Hadoop
usernames.
If you specify custom mapping rules for a Kerberos realm using the Additional Rules to Map Kerberos Principals to Short Names setting, ensure that the same realm is not specified in the Trusted Kerberos Realms setting. If it is, the auto-generated rule (which only strips the realm from the principal and does no additional transformations) takes precedent, and the custom rule is ignored.
- On the Cloudera Manager Admin Console, to choose cluster-wide actions.
- From the Actions drop-down button, select Deploy Client Configuration.