Add secure Accumulo on CDP service to your cluster

To ensure data availability to diverse sets of users with varying levels of permissions and security clearance, add a secure Accumulo on CDP service.

If your secure Accumulo on CDP service needs to be FIPS compliant, ensure that you have followed the FIPS specific deployment setup steps provided in Installing and Configuring CDP with FIPS.

Install OpDB CSD file.
Install CDP.
Add the HDFS and ZooKeeper services to your CDP deployment.
Install the OpDB parcel.
Ensure that you have a SASL enabled Kerberized cluster.

Navigate to the Cloudera Manager Admin Console home page.
Select the action menu of the cluster to which you want to add the Accumulo on CDP service (for example, Cluster 1), and select Add Service.
Select Accumulo on CDP and click Continue.
Select the dependent services and click Continue.
Assign the Accumulo roles to the hosts in your cluster:
- Assign a Table Server role on each host to which the DataNode role is assigned.
- Assign the Monitor, Garbage Collector, Tracer, and Master role to non-DataNodes.
- Assign the Gateway role to any hosts here you want to use the OpDB service and that do not already have other OpDB roles assigned.
Click Continue.
Configure the Accumulo Instance Secret.

important
Cloudera recommends to protect this information, because the security of the Accumulo service relies on it.
Set the Accumulo Instance Name.
Select Enable Kerberos Authentication.

note
This setting overwrites the trace user with the default Accumulo Kerberos principal. This is the reason the Tracer Role must be on the same node as the Master.
If this is the first installation of OpDB, ensure that the Initial Accumulo option is selected.
Click Continue.
Wait while Cloudera Manager does the initial service setup.
Click Continue.
Click Finish.
Restart all role except Tracers.
Create a client configuration file for the admin user.
This step needs to be performed on each Gateway machine where you will run an OpDB client.
Client configuration can be created by editing the configuration file in the following way:
```
auth.principal=accumulo/[***HOSTNAME***]
auth.type=kerberos
auth.token=/var/run/cloudera-scm-agent/process/[***TIMESTAMP***]-[***SERVICE NAME***]-[***INSTANCE NAME***]/accumulo_on_cdp.keytab
sasl.enabled=true
sasl.qop=auth-conf
```
By default the Accumulo principal on which master is running becomes the administrator principal. You can set up a different administrative user. For more information, see the Administrative User section of the user manual. In this case you need to change the auth.principal and auth.token configuration properties accordingly.