Managing Kerberos credentials using Cloudera Manager

How to regenerate Kerberos principals in Cloudera Manager.

Using CM to manage Kerberos credentials.

Minimum Required Role: Full Administrator. This feature is not available when using Cloudera Manager to manage Data Hub clusters.

When Kerberos authentication is enabled for HDFS service instances, Cloudera Manager starts creating Kerberos principals for each role instance on the cluster at the end of the configuration process. Depending on the number of hosts and the number of HDFS role instances in the cluster, the process may take anywhere from a few seconds to several minutes.

After the process completes, view the list of Kerberos principals created for the cluster by using the Cloudera Manager Admin Console. Every host with HDFS role instances should have Kerberos principals.

If no principals have been created after 10 minutes, there may be an issue with the process.

Updating Kerberos credentials in Cloudera Manager

Using CM to update Kerberos credentials.

If you change the user name or the password (or both) in the Active Directory KDC for the account used by Cloudera Manager for Kerberos authentication, you must also change it in Cloudera Manager. These credentials were stored during the Kerberos integration process (see Step 3: Create the Kerberos Principal for Cloudera Manager Server).

  1. Log in to Cloudera Manager Admin Console.
  2. Select Administration > Security.
  3. Click the Kerberos Credentials tab.
  4. Click Setup KDC for this Cloudera Manager.
  5. Enter the new user and password for the principal added to the Kerberos KDC in Step 4: Enter Account Credentials.

    If you are using Red Hat IdM/FreeIPA, enter the IPA admin credentials here. These admin credentials are not stored, and are used only to create a new user and role (named cmadin-<random_id> and cmadminrole, respectively) and retrieve its keytab. Cloudera Manager stores this keytab for future Kerberos operations, such as regenerating the credentials of the CDP service accounts.

Managing Active Directory account properties

Using CM to manage AD account properties.

If you are using an Active Directory KDC, Cloudera Manager lets you configure Active Directory accounts and customize the credential regeneration process using the Cloudera Manager Admin Console. You can also use Cloudera Manager to configure the encryption types to be used by your Active Directory account. Once you modify any Active Directory account properties, you must regenerate Kerberos credentials to reflect those changes. The credential regeneration process requires you to delete existing accounts before new ones are created.

By default, Cloudera Manager does not delete accounts in Active Directory, which means that to regenerate Kerberos principals contained in Active Directory, you need to manually delete the existing Active Directory accounts. You can either delete and regenerate all existing Active Directory accounts, or only delete those with the userPrincipalName (or login name) that you will later manually select for regeneration. If the accounts haven't already been deleted manually, the regeneration process will throw an error message saying that deletion of accounts is required before you proceed.

Modifying Active Directory account properties using Cloudera Manager

Using CM to modify AD account properties.

If you are using an Active Directory KDC, you can configure the Active Directory account properties, objectClass and accountExpires directly from the Cloudera Manager Admin Console. Any changes to these properties will be reflected in the regenerated Kerberos credentials.

  1. Go to the Cloudera Manager Admin Console and click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Active Directory Account Properties and edit as required. By default, the property will be set to:
    accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user
  5. Locate the Active Directory Password Properties and edit the field as needed. By default, the property will be set to:
    length=12,minLowerCaseLetters=2,minUpperCaseLetters=2,minDigits=2,minSpaces=0,minSpecialChars=0,specialChars=?.!$%^*()-_+=~
  6. Click Save Changes.
  7. Regenerate new credentials with the new properties.

Enabling credential regeneration for Active Directory accounts using Cloudera Manager

Using CM to enable credential regeneration for AD accounts.

To avoid having to delete accounts manually, enable the Active Directory Delete Accounts on Credential Regeneration property. By default, this property is disabled. After enabling this feature, Cloudera Manager will delete existing Active Directory accounts automatically when new ones are created during regeneration.

  1. On the Cloudera Manager Admin Console, click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Active Directory Delete Accounts on Credential Regeneration and check the property to activate this capability.
  5. Click Save Changes.

Configuring encryption types for Active Directory KDC using Cloudera Manager

Using CM to configure encryption types for AD KDC,

Cloudera Manager allows you to configure the encryption types (or enctype) used by an Active Directory KDC to protect its data. Cloudera supports the following encryption types:
  • aes128-cts
  • aes256-cts
  • des-cbc-crc
  • des-cbc-md5
To configure encryption types for an Active Directory KDC:
  1. Go to the Cloudera Manager Admin Console and click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Kerberos Encryption Types and click to add the encryption types you want Active Directory to use (see the list above for supported encryption types enctypes).
  5. Check the checkbox for the Active Directory Set Encryption Types property. This will automatically set the Cloudera Manager AD account to use the encryption types configured in the previous step.
  6. Click Save Changes.

Moving Kerberos principals to another OU within Active Directory

How to move Kerberos principals within AD.

If you have a Kerberized cluster configured with an Active Directory KDC, you can use the following steps to move the Kerberos principals from one AD Organizational Unit (OU) to another.

  1. Create the new OU on the Active Directory Server.
  2. Use AD's Delegate Control wizard to set the permissions on the new OU such that the configured Cloudera Manager admin account has the ability to Create, Delete and Manage User Accounts within this OU.
  3. Stop the cluster.
  4. Stop the Cloudera Management Service.
  5. In Active Directory, move all the Cloudera Manager and CDP components' user accounts to the new OU.
  6. In Cloudera Manager, select Administration > Security.
  7. On the Kerberos Credentials tab, click Configuration.
  8. Select Scope > Settings.
  9. Select Category > Kerberos.
  10. Locate the Active Directory Suffix property and edit the value to reflect the new OU name.
  11. Click Save Changes.

Viewing or regenerating Kerberos credentials using Cloudera Manager

Using CM to view or regenerate Kerberos credentials.

To view Kerberos principals for the cluster from Cloudera Manager for either MIT Kerberos or Active Directory:

  1. Log in to Cloudera Manager Admin Console.
  2. Select Administration > Security.
  3. Click the Kerberos Credentials tab. The currently configured Kerberos principals for services running on the cluster display, such as:
    • For HDFS, principals hdfs/hostname and host/hostname
  4. To regenerate any principals (if necessary):
    • Select the principal from the list.
    • Click Regenerate.

Running the Security Inspector

How to run Security Inspector.

The Security Inspector uses the Host Inspector to run a security-related set of commands on the hosts in your cluster. It reports on matters such as how Java is configured for encryption and on the default realms configured on each host:

  1. Select Administration > Security.
  2. Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
  3. After the inspection completes, click Download Result Data or Show Inspector Results to review the results.