Enabling custom Kerberos principal support in YARN

By default Cloudera Manager sets the Kerberos principal in YARN to yarn. This value can be easily changed using Cloudera Manager.

  1. Disable the ZooKeeper ACL check temporarily.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Add the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.
  2. In Cloudera Manager, navigate to YARN > Configuration.
  3. Find the Kerberos principal property and set it to the required name.
  4. Click Save Changes.
  5. Find the Admin ACL property and ensure that it contains either the ${yarn_user} placeholder or the updated principal name value.
  6. Ensure that YARN HDFS folders have the correct access rights and owners.
    For example, if you use the Capacity Scheduler Node labels feature, the yarn.node-labels.fs-store.root-dir folder could be inaccessible by YARN with the new Kerberos principal name. To resolve this issue, make it accessible or use the hdfs chown command. The following is the minimum list of folder paths for which ownership needs to be changed if Capacity Scheduler Node labels are enabled:
    • /yarn/node-labels
    • /user/yarn/mapreduce/mr-framework
    • /user/yarn/services/service-framework/*
    • /tmp/logs
  7. Restart all services with stale configuration.
    1. Click Stale configuration: Restart needed.
    2. Ensure that Deploy client configuration is selected.
    3. Click Restart.
  8. Select the YARN service.
  9. Click Actions > Reset ACLs on ZooKeeper nodes.
    This step can take a long time if a lot of application data is stored in ZooKeeper.
  10. Enable the ZooKeeper ACL check.
    1. Navigate to ZooKeeper > Configuration.
    2. Find Jave Configuration Options for ZooKeeper Server.
    3. Remove the -Dzookeeper.skipACL=yes value.
    4. Click Save Changes.
    5. Restart the ZooKeeper service.