Enabling security

If your previous cluster was secure or if you want to use a secure cluster, you have to enable Kerberos and auto-TLS.

For information about how to enable Kerberos and auto-TLS, see Encrypting Data in Transit and Security Kerberos Authentication Overview.

After setting up Kerberos, go to Administration > Security and click Generate missing credentials on the Kerberos Credentials tab. You might get the following error depending on your Kerberos server settings:


If you get this error, it means that the principals generated by Ambari have a different maximum renewable ticket time what Cloudera Manager wants to use, which causes this error. To fix this you have to modify the principals created by Ambari to have the same maximum renewable ticket time what Cloudera Manager wants to use (5 days):
# Get a keytab where the user have right to modify principals
# kadmin -q "ktadd -k /tmp/admin.keytab -norandkey admin/admin@HDF.COM" -p admin/admin@HDF.COM
# Get principals generated by ambari via ambari rest api call
principals=($(curl -H "Content-Type: text/csv" "${ambariprotocol}://${ambariuser}:${ambaripwd}@${ambariserver}:${ambariport}/api/v1/clusters/${clustername}/kerberos_identities?format=csv" | tail -n +2 | awk -F , '{ print $3}'))
# Modify principal maxrenewlife to 5 day
for princ in "${principals[@]}"
do
   kadmin -k -t /tmp/admin.keytab -p admin/admin@HDF.COM -q "modprinc -maxrenewlife 432000 $princ"
done
#Delete keytab for security reasons
#rm -f /tmp/admin.keytab