Preparing Kerberos authentication-enabled clusters for replication
Before you create replication policies between clusters that use Kerberos authentication to replicate HDFS, Hive, or Impala data, you must prepare the source and destination clusters.
- On the hosts in the destination cluster, ensure that the
krb5.conffile (typically located at/etc/kbr5.conf) on each host has the following information:- The KDC information for the source cluster's Kerberos
realm. For
example:
[realms] SRC.EXAMPLE.COM = { kdc = kdc01.src.example.com:88 admin_server = kdc01.example.com:749 default_domain = src.example.com } DST.EXAMPLE.COM = { kdc = kdc01.dst.example.com:88 admin_server = kdc01.dst.example.com:749 default_domain = dst.example.com } - Realm mapping for the source cluster domain. You configure these mappings in
the
[domain_realm]section. For example:[domain_realm] .dst.example.com = DST.EXAMPLE.COM dst.example.com = DST.EXAMPLE.COM .src.example.com = SRC.EXAMPLE.COM src.example.com = SRC.EXAMPLE.COM
- The KDC information for the source cluster's Kerberos
realm. For
example:
-
On the destination cluster, perform the following steps to add the realm of the
source cluster to the Trusted Kerberos Realms
configuration property:
- Go to the Cloudera Manager > Clusters > CORE_SETTINGS page.
- Search for the Trusted Kerberos Realms property, and enter the source cluster realm.
- Click Save Changes.
- Go to the Administration > Settings page.
-
Search for the Domain Name(s) field, and enter any domain or
host names you want to map to the destination cluster KDC. Add as many entries as you
need. The entries in this property are used to generate the
domain_realmsection in krb5.conf file. -
If
domain_realmis configured in the Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf property, remove the entries for it. - Click Save Changes.
