Configuring a dedicated MIT KDC for cross-realm trust
How to configure a cluster-dedicated KDC and default realm in Cloudera Manager.
Using Cloudera Manager to configure Kerberos authentication for the
cluster creates several principals and keytabs automatically. Cloudera Manager also deploys the keytab files to every host in the
cluster. See Hadoop Users (user:group) and Kerberos Principals
for complete
listing.
Local and Remote Kerberos Admin Tools
Kerberos administrator commands can be run directly on the KDC server host or remotely, as shown in the table:
kadmin.local |
Requires root access or Kerberos admin account. Use to log on directly to the KDC host. |
kadmin |
Use the logon to the KDC host system from another remote host over the network. |
- To run Kerberos administration commands locally on the KRB host system:
Enter your Linux system password (for thesudo kadmin.local
sudo
). - To run Kerberos administration commands from any host:
Enter your Kerberos administrator password.kadmin
Setting up a Cluster-Dedicated KDC and Default Realm for the Hadoop Cluster
Cloudera has tested the following configuration approaches to Kerberos security for clusters managed by Cloudera Manager. For administration teams that are just getting started with Kerberos security, we recommend starting with these approaches to the configuration of KDC services for a number of reasons.
The number of Service Principal Names (SPNs) that are created and managed by the Cloudera Manager server for a Cloudera Data Platform cluster can be significant, so it is important to realize the potential impact on cluster uptime and overall operations if you choose to manage keytabs manually instead. The Cloudera Manager server manages the creation of service keytabs on the proper hosts based on the current configuration of the database. Manual keytab management can be error prone and introduce delays when deploying or moving services within the cluster, especially under time-sensitive conditions.
Cloudera Manager creates SPNs within a KDC that it can access with the
kadmin
command based on configuration of the
/etc/krb5.conf
file on the Cloudera Manager host.
SPNs are created with the format service-name/host.fqdn.name@EXAMPLE.COM
where service-name
is the relevant Cloudera Data Platform
service name such as hue
or hbase
or
hdfs
.
If your site already has a working KDC, and any existing principals share the same name as any of the principals that Cloudera Manager creates, the Cloudera Manager Server generates a new randomized key for those principals, and consequently causes existing keytabs to become invalid.
This is why Cloudera recommends using a dedicated local MIT Kerberos KDC and realm for the Hadoop cluster. You can set up a one-way cross-realm trust from the cluster-dedicated KDC and realm to your existing central MIT Kerberos KDC, or to an existing Active Directory realm. Using this method, there is no need to create Hadoop service principals in the central MIT Kerberos KDC or in Active Directory, but principals (users) in the central MIT KDC or in Active Directory can be authenticated to Hadoop. The steps to implement this approach are as follows:
Using a Cluster-Dedicated KDC with a Central MIT KDC
Using a Cluster-Dedicated MIT KDC with Active Directory
For Cloudera Manager clusters, the openldap-clients
package must be installed on the Cloudera Manager Server host before
configuring the cluster to use Kerberos for authentication.