Customizing Kerberos principals
How to configure custom service principals in Cloudera Manager.
By default, the Cloudera Manager Kerberos wizard configures CDP services to use the same
Kerberos principals as the default process users. For example, the hdfs
principal for the HDFS service, and the hive
principal for the Hive
service. The advantage to this is that when Kerberos is enabled, no HDFS directory
permissions need to be changed for the new principals. You can also configure custom
service principals for CDP services.
Configuring Directory Permissions
Configure the following HDFS directories to give their corresponding custom service
principals
read, write
and execute
permissions.
Service | HDFS Directory |
---|---|
HBase | HBase Root Directory |
Hive |
|
Impala | /user/principal |
Oozie | Oozie ShareLib Root Directory |
Solr | HDFS Data Directory |
Spark on YARN |
|
Sqoop2 | /user/principal |
Configuring CDP Services
The following services will require additional settings if you are using custom principals.
-
YARN - The principals used by YARN daemons should be part of
hadoop
group so that they are allowed to read JobHistory Server data. -
Impala - If you are running the Hue service with a custom principal, configure
Impala to allow the Hue principal to impersonate other users.
- Go to the Impala service.
- Click Configuration.
- Select .
- Locate the Proxy User Configuration property and add the custom Hue principal.
- Click Save Changes.
-
Spark on YARN - The principal used by the Spark service should be part of the
spark
group. -
Cloudera Management Service
- Go to the Cloudera Management Service.
- Click Configuration.
- Search for kerberos.
- Locate the Reports Manager Kerberos Principal property and set it to a principal with administrative and superuser privileges on all HDFS services.
- Locate the Navigator Kerberos Principal for HDFS property and set it to a principal with administrative and superuser privileges on all HDFS services.
- Click Save Changes.