Customizing Kerberos principals

How to configure custom service principals in Cloudera Manager.

By default, the Cloudera Manager Kerberos wizard configures CDP services to use the same Kerberos principals as the default process users. For example, the hdfs principal for the HDFS service, and the hive principal for the Hive service. The advantage to this is that when Kerberos is enabled, no HDFS directory permissions need to be changed for the new principals. You can also configure custom service principals for CDP services.

Configuring Directory Permissions

Configure the following HDFS directories to give their corresponding custom service principals read, write and execute permissions.
Service HDFS Directory
HBase HBase Root Directory
Hive
  • Hive Warehouse Directory
  • /user/principal
Impala /user/principal
Oozie Oozie ShareLib Root Directory
Solr HDFS Data Directory
Spark on YARN
  • /user/principal
  • Spark History Location
  • Spark Jar Location
Sqoop2 /user/principal

Configuring CDP Services

The following services will require additional settings if you are using custom principals.

  • YARN - The principals used by YARN daemons should be part of hadoop group so that they are allowed to read JobHistory Server data.
  • Impala - If you are running the Hue service with a custom principal, configure Impala to allow the Hue principal to impersonate other users.
    1. Go to the Impala service.
    2. Click Configuration.
    3. Select Scope > Impala (Service-Wide).
    4. Locate the Proxy User Configuration property and add the custom Hue principal.
    5. Click Save Changes.
  • Spark on YARN - The principal used by the Spark service should be part of the spark group.
  • Cloudera Management Service
    1. Go to the Cloudera Management Service.
    2. Click Configuration.
    3. Search for kerberos.
    4. Locate the Reports Manager Kerberos Principal property and set it to a principal with administrative and superuser privileges on all HDFS services.
    5. Locate the Navigator Kerberos Principal for HDFS property and set it to a principal with administrative and superuser privileges on all HDFS services.
    6. Click Save Changes.