Managing ClustersPDF version

Configuring a Secure Credential Storage Provider for Cloudera Manager (Technical Preview)

You can configure Cloudera Manager to encrypt sensitive information stored in the Cloudera Manager database by configuring a Credential Storage Provider (CSP).

There are currently the following limitations:
  • Sensitive information that was written to the DB before the CSP was enabled will not be encrypted automatically. If you change any sensitive information, it will be encrypted.

    You can regenerate Kerberos credentials, which will then be encrypted. To regenerate the credentials, go to Administration > Security > Kerberos.

  • You cannot change the type of Secure Credential Store once you have enabled it.
  • Auto-TLS keys are not encrypted.
  • No rotation of encryption keys.
  • The CSP Keystore Password, CSP Truststore Password and CM Truststore Password are not encrypted, as they are needed to connect to the CSP in the first place

Cloudera Manager stores a variety of sensitive information required for normal operations. This sensitive information is stored in plain text, either in the Cloudera Manager database or on disk.

You can configure Cloudera Manager to encrypt these sensitive values by configuring a Secure Credential Store that stores an encryption key to encrypt and decrypt sensitive information that are then stored in encrypted form only in the Cloudera Manager database. The following types of sensitive information can be encrypted:
  • Configuration parameters containing usernames and passwords (except for those needed for Cloudera Manager to access the CSP).

  • Kerberos keytabs

You can choose from the following types of Secure Credential Store:
  • None – Sensitive information is not encrypted in the Cloudera Manager database.
  • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends a Vault from Hashicorp.
  • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
  1. If you are using the Vault, install and configure the Vault on a host with network connectivity to the Cloudera Manager server:
    1. Install and configure the Vault from Hashicorp.
    2. Configure TLS.
    3. Enable the Vault secrets engine at a path that will be dedicated to Cloudera Manager’s use. Any Vault secrets engine is supported. See https://www.vaultproject.io/docs/secrets for more information. For example, the following enables a kv type secrets engine at path cm-secrets/:
      vault cm-secrets enable -path=secret kv
      
    4. A certificate authentication method must be configured at the path certs/cert1. This is how Cloudera Manager will authenticate with Vault. The method must have a policy that allows Create/Update/List/Read/Delete at the applicable secrets path. See https://www.vaultproject.io/docs/auth/cert for more information on certificate authentication and https://www.vaultproject.io/docs/concepts/policies for more information on vault policies.
      Example setup:
      vault auth enable cert 1
      vault write auth/cert/certs/cert1 display_name=example policies=example-policy certificate=@your-ca-cert.pem 
      
      Example policy:
      path "cm-secrets/*" 
      {
       capabilities = ["create", "read", "update", "list", "delete"] 
      } 
    5. The Vault must be unsealed by the user whenever Cloudera Manager is running. See https://www.vaultproject.io/docs/concepts/seal for instructions on unsealing Vault.
  2. Enable the Secure Credential Store feature:
    1. On the Cloudera Manager server host, edit the following file: /etc/default/cloudera-scm-server and add the following line:
      export CMF_FF_CSP=true
    2. Restart the Cloudera Manager server:
      sudo service cloudera-scm-server restart
      
  3. Configure the Secure Credential Store in Cloudera Manager:
    1. Open the Cloudera Manager Admin Console.
    2. Go to Administration > Settings and select the Security category.
    3. Select the Credential Storage Provider Type. Choose one of the following:
      • None – Sensitive information is not encrypted in the Cloudera Manager database.
      • Vault – You can install and configure an external Vault, located on a different host, if desired. Cloudera recommends a Vault from Hashicorp.
      • Embedded – The credentials are stored on disk, on the Cloudera Manager server host that is protected by file permissions. This type is less secure than using a Vault, but is easier to set up and manage.
  4. If you selected Vault, configure the following parameters:
    • Credential Storage Provider Address – enter the URL of the host where the Vault is installed.
    • Secrets Store Path – the path, on the host where the Vault is installed where credentials are written. The directory specified here must not be used for any thing else.
    • Credential Storage Provider Storage Path – the location on the Cloudera Manager server host where certificates for the Vault are stored. You can keep the default location of /opt/cloudera/csp-data or change it if needed.
  5. Upload the following certificates, by copying them to the Cloudera Manager server host to the directory specified with the Credential Storage Provider Storage Path parameter, using the exact filename shown below, or you can use the Cloudera Manager API to upload the certificates using the CspResource endpoint. (You can use the Cloudera Manager API Explorer to do this. Go to Support > API Explorer
    Certificate File name on the Cloudera Manager Host
    Certificate authority csp-ca.pem
    Client certificate csp-client.pem
    Client key csp-client.key
  6. Restart the Cloudera Manager Server:
    sudo service cloudera-scm-server restart
    
Sensitive information is now encrypted in the Cloudera Manager database.