Customizing Kerberos Principals and System Users (Recommended)
The Custom Kerberos Principals and System Users is an advanced feature that allows you to customize the Kerberos Principals and System Users for the Cloudera Runtime services. The following steps explain how to customize the Kerberos Principals and System Users in the Cloudera Manager.
Currently, the supported combination for the new Private Cloud Base clusters is to use an equal name for kerberos principals and system users. Such as, in case of Kudu service, enter the name as “kudu” for both kerberos principal name and system username.
- Service Monitor (role of the Cloudera Management Service): When Hue service is present in the cluster, the principal name for Service Monitor must be equal to the principal name of the Hue service in the cluster.
- Ozone and HDFS: You can customize the principal names for Ozone role types, but the Ozone system username must match the HDFS system username.
- Kafka Mirror Maker: The system user for this role type must match the Kafka service-level system username (default is “kafka”).
- Ranger role types (such as Ranger Admin, Ranger Tagsync, and Ranger Usersync) have a role-specific principal name, but the system user must match the Ranger service-level system username.
Perform the following steps to customize the Kerberos Principals and System Users for the Cloudera Runtime services:
- Navigate to Custom Kerberos Principals and System Users after the Configure Kerberos operation, for customizing the Kerberos Principals and System Users.
Select both Customize Kerberos Principals and
Customize System users check boxes as seen in the
Update the kerberos principal and system usernames for services as
- You can change the names as required. You must use the same name for a Kerberos Principal and the corresponding System User. Such as for HDFS service you choose “hdfs-custom” as a name value and set this value for both HDFS Kerberos Principal and HDFS System User.
- Besides service-level principals and system users, some role types have individual configurations with a dedicated principal name. These role types must also follow the same pattern as applicable, such as using a custom name and setting this name for both kerberos principal and system user.
- You may also choose not to modify the custom principal or system user for a specific service or role type. You must ensure that the values match for a given service or role.
Click Generate Dependent Configurations.
If you need to customize kerberos principals and system users while adding a
service on a cluster after enabling Custom Kerberos Principals and
System Users as per above steps on a new cluster, then repeat
the steps 2 through 5.
The Add Service wizard includes a step for customizing any kerberos principal and system user specific to the service (and role types) being added as seen in the following figure.