Enabling custom Kerberos principal support in YARN

You can change the Kerberos Principal name in YARN using Cloudera Manager.

By default, Cloudera Manager sets the Kerberos principal in YARN to yarn. You can change this value using Cloudera Manager.

  1. Disable the ZooKeeper ACL check temporarily.
    1. In Cloudera Manager, navigate to ZooKeeper > Configuration.
    2. Find the Java Configuration Options for ZooKeeper Server property.
    3. Add the following value:
      -Dzookeeper.skipACL=yes
    4. Click Save Changes.
    5. Restart the ZooKeeper service.
  2. In Cloudera Manager, navigate to YARN > Configuration.
  3. Find the Kerberos principal property and set it to the required name.
  4. Click Save Changes.
  5. Find the Admin ACL property and ensure that it contains either the ${yarn_user} placeholder or the updated principal name value.
  6. Ensure that YARN HDFS folders have the correct access rights and owners.

    For example, if you use the Capacity Scheduler Node labels feature, the yarn.node-labels.fs-store.root-dir folder might not be accessible by YARN with the new Kerberos principal name. To resolve this issue, make it accessible or use a hdfs chown command.

  7. Restart all services with stale configuration.
    1. Click Stale configuration: Restart needed.
    2. Ensure that Deploy client configuration is selected.
    3. Click Restart.
  8. Select the YARN service.
  9. Click Actions > Reset ACLs on ZooKeeper nodes.
    This step can take a long time if a lot of application data is stored in ZooKeeper.
  10. Enable the ZooKeeper ACL check.
    1. Navigate to ZooKeeper > Configuration.
    2. Find Jave Configuration Options for ZooKeeper Server.
    3. Remove the -Dzookeeper.skipACL=yes value.
    4. Click Save Changes.
    5. Restart the ZooKeeper service.