Enabling Kerberos Authentication for CDP

How to use the Cloudera Manager Kerberos wizard to set up authentication.

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

Cloudera Manager provides a wizard for integrating your organization's Kerberos instance with your cluster to provide authentication services.

Kerberos must already be deployed in your organization and the Kerberos key distribution center (KDC) must be ready to use, with a realm established. If you are using Red Hat Identity Management/FreeIPA, all of your cluster hosts must already be joined to the IPA domain. For Hue and Oozie, the Kerberos realm must support renewable tickets.

Cloudera Manager clusters can be integrated with MIT Kerberos, Red Hat Identity Management (or the upstream FreeIPA), or Microsoft Active Directory.

For Active Directory, you must have administrative privileges to the Active Directory instance for initial setup and for on-going management, or you will need to have the help of your AD administrator prior to and during the integration process. For example, administrative access is needed to access the Active Directory KDC, create principals, and troubleshoot Kerberos TGT/TGS-ticket-renewal and take care of any other issues that may arise.

For Red Hat IdM, make sure that all cluster hosts are joined to the IPA domain. You can join a host to the domain by installing the freeipa-client package and then running the ipa-client-install script.

Kerberos client OS-specific packages must be installed on all cluster hosts and client hosts that will authenticate using Kerberos.
OS Packages Required
RHEL 7 Compatible, RHEL 6 Compatible
  • openldap-clients on the Cloudera Manager Server host
  • krb5-workstation, krb5-libs on ALL hosts
  • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts
SLES
  • openldap2-client on the Cloudera Manager Server host
  • krb5-client on ALL hosts
  • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts
Ubuntu
  • ldap-utils on the Cloudera Manager Server host
  • krb5-user on ALL hosts
  • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts

Cloudera supports the Kerberos version that ships with each supported operating system listed in Operating System Requirements.