Customizing Kerberos Principals and System Users (Recommended)

The Custom Kerberos Principals and System Users is an advanced feature that allows you to customize the Kerberos Principals and System Users for the Cloudera Runtime services. The following steps explain how to customize the Kerberos Principals and System Users in the Cloudera Manager.

important

Ensure you complete the following tasks before you start performing the steps to customize the Kerberos Principals and System Users in the Cloudera Manager.:

Before you start customizing the Kerberos Principals and System Users in the Cloudera Manager, ensure you complete enabling the feature flag for Custom Kerberos Principals and System Users before setting up the cluster. See Enabling feature flag for Custom Kerberos Principals and System Users.
On the Cloudera Manager home page, go to Status > Add and select Add Cluster to add a new cluster.
Perform the steps listed on this page Step 8: Set Up a Cluster Using the Wizard from Select Services through Configure Kerberos.

Currently, the supported combination for the new Private Cloud Base clusters is to use an equal name for kerberos principals and system users. Such as, in case of Kudu service, enter the name as “kudu” for both kerberos principal name and system username.

However, there are following exceptions to the above scenario and you must note them before you customize the Kerberos Principals and System Users:

Service Monitor (role of the Cloudera Management Service): When Hue service is present in the cluster, the principal name for Service Monitor must be equal to the principal name of the Hue service in the cluster.
Ozone and HDFS: You can customize the principal names for Ozone role types, but the Ozone system username must match the HDFS system username.
Kafka Mirror Maker: The system user for this role type must match the Kafka service-level system username (default is “kafka”).
Ranger role types (such as Ranger Admin, Ranger Tagsync, and Ranger Usersync) have a role-specific principal name, but the system user must match the Ranger service-level system username.

important

Cloudera Manager configures CDP services to use the default Kerberos principal names and default system users. Cloudera recommends that you do not change the default Kerberos principal or system user names. For existing clusters and services, do not change the existing Kerberos principal and system users names.

If your security policies require you to customize the service Kerberos Principals and System User Names, contact Cloudera Professional Services for additional help. Configuring the recommended solution requires additional steps and automation outside of CDP to be successful.

Use the following steps only for new clusters or when adding a new service to a new cluster that is created by enabling with Custom Kerberos Principals and System Users.

Perform the following steps to customize the Kerberos Principals and System Users for the Cloudera Runtime services:

Navigate to Custom Kerberos Principals and System Users after the Configure Kerberos operation, for customizing the Kerberos Principals and System Users.
Select both Customize Kerberos Principals and Customize System users check boxes as seen in the following figure.
important
If no check boxes are selected, then click Continue.

If atleast one of the check boxes are selected, then you must click the Generate Dependent Configurations button before you proceed with the process and click Continue.
Update the kerberos principal and system usernames for services as follows:
- You can change the names as required. You must use the same name for a Kerberos Principal and the corresponding System User. Such as for HDFS service you choose “hdfs-custom” as a name value and set this value for both HDFS Kerberos Principal and HDFS System User.
- Besides service-level principals and system users, some role types have individual configurations with a dedicated principal name. These role types must also follow the same pattern as applicable, such as using a custom name and setting this name for both kerberos principal and system user.
- You may also choose not to modify the custom principal or system user for a specific service or role type. You must ensure that the values match for a given service or role.
Click Generate Dependent Configurations.

important

You can verify the generated rules and manually edit the rules, if required. In the above scenario there will be auth_to_local rules for the exceptions listed above, but you do not need any further auth_to_local rules.

If you update any kerberos principal and system username after generating the rules, you must click the Generate Dependent Configurations button to auto-generate the auth_to_local rules again.
Click Continue.

important
Cloudera Manager makes use of the entered kerberos principal and system username information to calculate the value for auth_to_local rules (this is a cluster-wide configuration and it is saved in Core Settings). For more information on auth_to_local rules, see Hadoop documentation.
If you need to customize kerberos principals and system users while adding a service on a cluster after enabling Custom Kerberos Principals and System Users as per above steps on a new cluster, then repeat the steps 2 through 5.

The Add Service wizard includes a step for customizing any kerberos principal and system user specific to the service (and role types) being added as seen in the following figure.

important

Before adding a new service with custom kerberos principal and system usernames, you need to use the Ranger UI and update the appropriate policies.