Step 1: Install Cloudera Manager and Cloudera
Cloudera strongly recommends that you install and configure the Cloudera Manager Server and Cloudera Manager Agents and Cloudera to set up a fully-functional Cloudera cluster before trying to configure Kerberos authentication for the cluster.
Required user:group settings for security
Learn about the user:group settings for security.
user:group
accounts and setting directory permissions as
shown in the table below. These user accounts and directory permissions work with the
Hadoop Kerberos security requirements.This User | Runs These Roles |
---|---|
hdfs |
NameNode, DataNodes, and Secondary NameNode |
mapred |
JobTracker and TaskTrackers (MR1) and Job History Server (YARN) |
yarn |
ResourceManager and NodeManagers (YARN) |
oozie |
Oozie Server |
hue |
Hue Server, Beeswax Server, Authorization Manager, and Job Designer |
hdfs
user has HDFS superuser privileges.When you install the Cloudera Manager Server on the server host, a new
Unix user account called cloudera-scm
is created automatically to support
security. The Cloudera Manager Server uses this account to create host
principals and deploy the keytabs on your cluster.
Depending on whether you installed Cloudera and Cloudera Manager at the same time or not, use one of the following sections for information on configuring directory ownerships on cluster hosts.
New Installation, Cloudera Manager and Cloudera Together
Directory Specified in this Property | Owner |
---|---|
dfs.name.dir | hdfs:hadoop |
dfs.data.dir | hdfs:hadoop |
mapred.local.dir | mapred:hadoop |
mapred.system.dir in HDFS | mapred:hadoop |
yarn.nodemanager.local-dirs | yarn:yarn |
yarn.nodemanager.log-dirs | yarn:yarn |
oozie.service.JPAService.jdbc.url (if using Derby) | oozie:oozie |
[[database]] name | hue:hue |
javax.jdo.option.ConnectionURL | hue:hue |