Configuring a dedicated MIT KDC for cross-realm trust
How to configure a cluster-dedicated KDC and default realm in Cloudera Manager.
Using Cloudera Manager to configure Kerberos authentication for the cluster creates
several principals and keytabs automatically. Cloudera Manager also deploys the keytab
files to every host in the cluster. See Hadoop Users (user:group) and Kerberos
Principals
for complete listing.
Local and Remote Kerberos Admin Tools
Kerberos administrator commands can be run directly on the KDC server host or remotely, as shown in the table:
kadmin.local |
Requires root access or Kerberos admin account. Use to log on directly to the KDC host. |
kadmin |
Use the logon to the KDC host system from another remote host over the network. |
- To run Kerberos administration commands locally on the KRB host system:
Enter your Linux system password (for thesudo kadmin.local
sudo
). - To run Kerberos administration commands from any host:
Enter your Kerberos administrator password.kadmin
Setting up a Cluster-Dedicated KDC and Default Realm for the Hadoop Cluster
Cloudera has tested the following configuration approaches to Kerberos security for clusters managed by Cloudera Manager. For administration teams that are just getting started with Kerberos security, we recommend starting with these approaches to the configuration of KDC services for a number of reasons.
The number of Service Principal Names (SPNs) that are created and managed by the Cloudera Manager server for a CDP cluster can be significant, so it is important to realize the potential impact on cluster uptime and overall operations if you choose to manage keytabs manually instead. The Cloudera Manager server manages the creation of service keytabs on the proper hosts based on the current configuration of the database. Manual keytab management can be error prone and introduce delays when deploying or moving services within the cluster, especially under time-sensitive conditions.
Cloudera Manager creates SPNs within a KDC that it can access with the
kadmin
command based on configuration of the
/etc/krb5.conf
file on the Cloudera Manager host. SPNs are created with
the format service-name/host.fqdn.name@EXAMPLE.COM
where
service-name
is the relevant CDP service name such as
hue
or hbase
or hdfs
.
If your site already has a working KDC, and any existing principals share the same name as any of the principals that Cloudera Manager creates, the Cloudera Manager Server generates a new randomized key for those principals, and consequently causes existing keytabs to become invalid.
This is why Cloudera recommends using a dedicated local MIT Kerberos KDC and realm for the Hadoop cluster. You can set up a one-way cross-realm trust from the cluster-dedicated KDC and realm to your existing central MIT Kerberos KDC, or to an existing Active Directory realm. Using this method, there is no need to create Hadoop service principals in the central MIT Kerberos KDC or in Active Directory, but principals (users) in the central MIT KDC or in Active Directory can be authenticated to Hadoop. The steps to implement this approach are as follows:
Using a Cluster-Dedicated KDC with a Central MIT KDC
Using a Cluster-Dedicated MIT KDC with Active Directory
For Cloudera Manager clusters, the openldap-clients
package must be
installed on the Cloudera Manager Server host before configuring the cluster to use
Kerberos for authentication.