Step 1: Install Cloudera Manager and CDP

Cloudera strongly recommends that you install and configure the Cloudera Manager Server and Cloudera Manager Agents and CDP to set up a fully-functional CDP cluster before trying to configure Kerberos authentication for the cluster.

Required user:group settings for security

Learn about the user:group settings for security.

When you install the CDP packages and the Cloudera Manager Agents on your cluster hosts, Cloudera Manager takes some steps to provide system security such as creating the OS user:group accounts and setting directory permissions as shown in the table below. These user accounts and directory permissions work with the Hadoop Kerberos security requirements.
This User Runs These Roles
hdfs NameNode, DataNodes, and Secondary NameNode
mapred JobTracker and TaskTrackers (MR1) and Job History Server (YARN)
yarn ResourceManager and NodeManagers (YARN)
oozie Oozie Server
hue Hue Server, Beeswax Server, Authorization Manager, and Job Designer
The hdfs user has HDFS superuser privileges.

When you install the Cloudera Manager Server on the server host, a new Unix user account called cloudera-scm is created automatically to support security. The Cloudera Manager Server uses this account to create host principals and deploy the keytabs on your cluster.

Depending on whether you installed CDP and Cloudera Manager at the same time or not, use one of the following sections for information on configuring directory ownerships on cluster hosts.

New Installation, Cloudera Manager and CDP Together

Installing a new Cloudera Manager cluster with CDP components at the same time can save you some of the user:group configuration required if you install them separately. The installation process creates the necessary user accounts on the Linux host system for the service daemons. At the end of the installation process when each cluster node starts up, the Cloudera Manager Agent process on the host automatically configures the directory ownership as shown in the table below, and the Hadoop daemons can then automatically set permissions for their respective directories. Do not change the directory owners on the cluster. They must be configured exactly as shown below.
Directory Specified in this Property Owner
dfs.name.dir hdfs:hadoop
dfs.data.dir hdfs:hadoop
mapred.local.dir mapred:hadoop
mapred.system.dir in HDFS mapred:hadoop
yarn.nodemanager.local-dirs yarn:yarn
yarn.nodemanager.log-dirs yarn:yarn
oozie.service.JPAService.jdbc.url (if using Derby) oozie:oozie
[[database]] name hue:hue
javax.jdo.option.ConnectionURL hue:hue