Enabling Kerberos authentication

You need to enable Kerberos authentication in Cloudera Manager as well as directly for your browser to securely reach the Streaming SQL Console, and to use Knox authentication.

When Kerberos authentication is set up for SSB, and an unauthorized user wants to reach the Streaming SQL Console, the following error message appears:
  1. Go to your cluster in Cloudera Manager.
  2. Click SQL Stream Builder from the list of services.
  3. Go to the Configuration tab.
  4. Select Category > Security.
  5. Type kerberos in the search field.
  6. Select the Enable Kerberos authentication setting.
  7. Open a terminal window.
  8. Configure your browser for Kerberos authentication:
    • Mozilla Firefox
      1. Load the about:config page to open the low level Firefox configuration.
      2. Search for network.negotiate-auth.trusted-uris preference.
      3. Open the network.negotiate-auth.trusted-uris preference.
      4. Enter the hostnames of the SQL Stream Console are protected by Kerberos HTTP SPNEGO.
      5. Click Ok.
    • Internet Explorer
      1. Configure the Local Intranet Domain
        1. Click on the Settings icon in Internet Explorer.
        2. Go to Internet options > Security.
        3. Select Local Intranet zone.
        4. Click on Sites.
        5. Review that the following options are checked:
          • Include all local (intranet) sites not listed in other zones
          • Include all sites that bypass the proxy server are checked
        6. Click Advanced.
        7. Enter the hostnames and domains of the SQL Stream Console that are protected by Kerberos HTTP SPNEGO.
        8. Click Ok.
      2. Configure the Intranet Authentication
        1. Click on the Settings icon in Internet Explorer.
        2. Go to Internet options > Security.
        3. Select Local Intranet zone.
        4. Click on Custom level.

          The Security Settings - Local Intranet Zone dialog box opens.

        5. Scroll down to the User Authentication options.
        6. Select Automatic logon only in Intranet Zone.
        7. Click Ok.
      3. Verify the Proxy Settings
        1. Make sure that you enabled a proxy server.
        2. Click on the Settings icon in Internet Explorer.
        3. Go to Internet options > Connections.
        4. Select LAN settings.
        5. Confirm that the proxy server Address and Port number are correct.
        6. Click Advanced.

          The Proxy Settings dialog box opens.

        7. Add the Streaming SQL Console domains that are protected by Kerberos to the Exceptions field.
        8. Click Ok.
    • Google Chrome
      • Windows
        1. Open Control Panel > Internet Options > Security.
        2. Perform the steps from the Internet Explorer configuration.
      • MacOS
        1. Open a terminal window.
        2. Copy and paste the following command:
          defaults write com.google.Chrome AuthServerAllowlist
          "*<host_domain>,*<host_domain1>,*<host_domain2>"
          sudo scp <your_hostname>:/etc/krb5.conf /etc/krb5.conf

          You will be prompted to provide your password.

          kinit <username>