Adding trusted realms to the cluster
How to specify trusted realms in Cloudera Manager.
The Kerberos instance associated with a given cluster has its REALM-NAME
        specified as the default_realm in the Kerberos configuration file
          (krb5.conf) on the cluster's NameNode. Rules defined in the
          hadoop.security.auth_to_local property translate the Kerberos principals
        to local account names at the host
        level.
        The default rules simply remove the @REALM portion of the Kerberos
        principal and leave the short name.
To allow principals from other realms to use the cluster, the trusted realms must be specified in Cloudera Manager. For example, the Kerberos realm used by your cluster may have a trust relationship to a central Active Directory or MIT Kerberos realm. Add the central realm to the cluster as detailed in the following steps so that Cloudera Manager can apply the appropriate mapping rules to the principals from the trusted realm to access the cluster's services.
To specify trusted realms using Cloudera Manager:
For each trusted realm identified in Trusted Kerberos Realms, default
        mapping rules automatically strip the REALM name. To customize the mapping rules, specify
        additional rules in the Additional Rules to Map Kerberos Principals to Short
          Names setting, one rule per line. Cloudera Manager will wrap each rule in the
        appropriate XML tags and add to the generated core-site.xml file. To create
        custom rules and translate translate mixed-case Kerberos principals to lower-case Hadoop
        usernames.
If you specify custom mapping rules for a Kerberos realm using the Additional Rules to Map Kerberos Principals to Short Names setting, ensure that the same realm is not specified in the Trusted Kerberos Realms setting. If it is, the auto-generated rule (which only strips the realm from the principal and does no additional transformations) takes precedent, and the custom rule is ignored.
- On the Cloudera Manager Admin Console, to choose cluster-wide actions.
- From the Actions drop-down button, select Deploy Client Configuration.
- From the Actions drop-down button, select Restart and wait for the restart process to finish.
