If your previous cluster was secure or if you want to use a secure cluster, you have to
enable Kerberos and auto-TLS.
For information about how to enable Kerberos and auto-TLS, see Encrypting Data in
Transit and Security Kerberos Authentication Overview.
After setting up Kerberos, go to Administration > Security and click Generate missing credentials on the
Kerberos Credentials tab. You might get the following error depending on
your Kerberos server settings:
If you get this error, it means that the principals generated by Ambari have a different
maximum renewable ticket time what Cloudera Manager wants to use, which causes this error. To fix
this you have to modify the principals created by Ambari to have the same maximum renewable
ticket time what Cloudera Manager wants to use (5
days):
# Get a keytab where the user have right to modify principals
# kadmin -q "ktadd -k /tmp/admin.keytab -norandkey admin/admin@HDF.COM" -p admin/admin@HDF.COM
# Get principals generated by ambari via ambari rest api call
principals=($(curl -H "Content-Type: text/csv" "${ambariprotocol}://${ambariuser}:${ambaripwd}@${ambariserver}:${ambariport}/api/v1/clusters/${clustername}/kerberos_identities?format=csv" | tail -n +2 | awk -F , '{ print $3}'))
# Modify principal maxrenewlife to 5 day
for princ in "${principals[@]}"
do
kadmin -k -t /tmp/admin.keytab -p admin/admin@HDF.COM -q "modprinc -maxrenewlife 432000 $princ"
done
#Delete keytab for security reasons
#rm -f /tmp/admin.keytab
