Configuring Hadoop Authentication

Learn about how to configure Hadoop Authentication for a service.

Cloudera Data Engineering UI
Cloudera Data Engineering CLI
Cloudera Data Engineering API

In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
Click Administration in the left navigation menu. The Administration page displays.
In the Services column, select the environment for which you want to configure the Hadoop Authentication and click Service Details.
Click Hadoop Authentication.
note
- In the Hadoop Authentication tab, the User field is automatically populated with the username of the logged-in user.
- Only logged-in users can access their Hadoop authentication details in Cloudera Data Engineering Service. No user can view another user's Hadoop authentication details, even if they have DEAdmin or Service Admin roles.
Enter the Principal value.
Under Authentication Type, choose one of the following options:
- Using the Keytab file:
  1. Under Authentication Type, select the Keytab file checkbox.
    important
    To generate a keytab named <username>.keytab manually for a user using ktutil, run the following commands:
    sudo ktutil ktutil: addent -password -p <username>@EXAMPLE.COM -k 1 -f Password for <username>@EXAMPLE.COM: ktutil: addent -password -p <username>@EXAMPLE.COM -k 2 -f Password for <username>@EXAMPLE.COM: ktutil: wkt <username>.keytab ktutil: q
    For example, if you want to generate a keytab named psherman.keytab, run the following commands:
    sudo ktutil ktutil: addent -password -p psherman@EXAMPLE.COM -k 1 -f Password for psherman@EXAMPLE.COM: ktutil: addent -password -p psherman@EXAMPLE.COM -k 2 -f Password for psherman@EXAMPLE.COM: ktutil: wkt psherman.keytab ktutil: q
  2. Click Select File and select the relevant keytab file. For instructions about getting the keytab file, see Kerberos Configuration Strategies for CDP.
- Using password:
  note
  This option is available only from Cloudera Data Engineering 1.5.5 SP1 onward.
  1. Under the Authentication Type, select the Password checkbox.
  2. In the Password text box, enter the Kerberos password.
Click Authenticate.

cde kerberos authenticate [***KERBEROS-AUTHENTICATION-FLAG***]

Use one of the following flag value pairs depending on the type of authentication you want to use:

Using a password:
note
This option is available only from Cloudera Data Engineering 1.5.5 SP1 onward.
- --principal string – Enter the Kerberos principal when prompted
- --password – Enter the password when prompted
Using the Keytab file:
- --principal string – Enter the Kerberos principal when prompted
- --keytab-file string – Enter the keytab file path when prompted

Get the Keytab metadata. For instructions about getting the keytab file, see Kerberos Configuration Strategies for CDP.
```
curl -X GET -H "Authorization: Bearer ${CDE_TOKEN}" \
<service-url>/user-auth/api/v1/kerberos
```
To get the CDE_TOKEN and service-url values, see Getting a Cloudera Data Engineering API access token.
important
To get the CDE_TOKEN value for Machine Users, see Using CDP Access keys tab in Getting a Cloudera Data Engineering API access token page.

Update Hadoop Authenticaion using one of the following methods:

Using a password:

curl -H "Authorization: Bearer ${CDE_TOKEN}" <service-url>/user-auth/api/v1/kerberos \
-H "Content-Type: application/json" \
-X POST 
--form 'principal="<Principal>"' \
--form 'password="<password>"'

Using the Keytab file:

curl -H "Authorization: Bearer ${CDE_TOKEN}" <service-url>/user-auth/api/v1/kerberos \
-H "Content-Type: application/json" \
-X POST 
--form 'principal="<Principal>"' \
--form 'file=@"</path/to/keytab/file>"'