Managing Kerberos credentials using Cloudera Manager
How to regenerate Kerberos principals in Cloudera Manager.
Minimum Required Role: Full Administrator. This feature is not available when using Cloudera Manager to manage Data Hub clusters.
When Kerberos authentication is enabled for HDFS service instances, Cloudera Manager starts creating Kerberos principals for each role instance on the cluster at the end of the configuration process. Depending on the number of hosts and the number of HDFS role instances in the cluster, the process may take anywhere from a few seconds to several minutes.
After the process completes, view the list of Kerberos principals created for the cluster by using the Cloudera Manager Admin Console. Every host with HDFS role instances should have Kerberos principals.
If no principals have been created after 10 minutes, there may be an issue with the process.
Updating Kerberos credentials in Cloudera Manager
If you change the user name or the password (or both) in the Active Directory KDC for the
account used by Cloudera Manager for Kerberos authentication, you must also change it in
Cloudera Manager. These credentials were stored during the Kerberos integration process
(see Step 3: Create the Kerberos Principal for Cloudera Manager Server
).
Managing Active Directory account properties
If you are using an Active Directory KDC, Cloudera Manager lets you configure Active Directory accounts and customize the credential regeneration process using the Cloudera Manager Admin Console. You can also use Cloudera Manager to configure the encryption types to be used by your Active Directory account. Once you modify any Active Directory account properties, you must regenerate Kerberos credentials to reflect those changes. The credential regeneration process requires you to delete existing accounts before new ones are created.
By default, Cloudera Manager does not delete accounts in Active Directory, which means that to regenerate Kerberos principals contained in Active Directory, you need to manually delete the existing Active Directory accounts. You can either delete and regenerate all existing Active Directory accounts, or only delete those with the userPrincipalName (or login name) that you will later manually select for regeneration. If the accounts haven't already been deleted manually, the regeneration process will throw an error message saying that deletion of accounts is required before you proceed.
Modifying Active Directory account properties using Cloudera Manager
If you are using an Active Directory KDC, you can configure Active Directory account
properties such as objectClass
and accountExpires
directly from the Cloudera Manager Admin Console. Any changes to these properties will
be reflected in the regenerated Kerberos credentials.
Enabling credential regeneration for Active Directory accounts using Cloudera Manager
To avoid having to delete accounts manually, enable the Active Directory Delete Accounts on Credential Regeneration property. By default, this property is disabled. After enabling this feature, Cloudera Manager will delete existing Active Directory accounts automatically when new ones are created during regeneration.
- On the Cloudera Manager Admin Console, click the Administration tab.
- Select .
- Click the Kerberos category.
- Locate the Active Directory Delete Accounts on Credential Regeneration and check the property to activate this capability.
- Click Save Changes.
Configuring encryption types for Active Directory KDC using Cloudera Manager
- aes128-cts
- aes256-cts
- des-cbc-crc
- des-cbc-md5
- Go to the Cloudera Manager Admin Console and click the Administration tab.
- Select .
- Click the Kerberos category.
-
Locate the Kerberos Encryption Types and click to add the encryption types you want
Active Directory to use (see the list above for supported encryption types
enctypes
). - Check the checkbox for the Active Directory Set Encryption Types property. This will automatically set the Cloudera Manager AD account to use the encryption types configured in the previous step.
- Click Save Changes.
Moving Kerberos principals to another OU within Active Directory
If you have a Kerberized cluster configured with an Active Directory KDC, you can use the following steps to move the Kerberos principals from one AD Organizational Unit (OU) to another.
- Create the new OU on the Active Directory Server.
- Use AD's Delegate Control wizard to set the permissions on the new OU such that the configured Cloudera Manager admin account has the ability to Create, Delete and Manage User Accounts within this OU.
- Stop the cluster.
- Stop the Cloudera Management Service.
- In Active Directory, move all the Cloudera Manager and CDP components' user accounts to the new OU.
- In Cloudera Manager, select .
- On the Kerberos Credentials tab, click Configuration.
- Select .
- Select .
- Locate the Active Directory Suffix property and edit the value to reflect the new OU name.
- Click Save Changes.
Viewing or regenerating Kerberos credentials using Cloudera Manager
To view Kerberos principals for the cluster from Cloudera Manager for either MIT Kerberos or Active Diretory:
Running the Security Inspector
The Security Inspector uses the Host Inspector to run a security-related set of commands on the hosts in your cluster. It reports on matters such as how Java is configured for encryption and on the default realms configured on each host:
- Select .
- Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
- After the inspection completes, click Download Result Data or Show Inspector Results to review the results.