This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.
Llama Security Configuration
This section describes how to configure Llama in CDH 5 with Kerberos security
in a Hadoop cluster.
Note: At this point Llama has been tested only in a Cloudera Manager
deployment. For information on using Cloudera Manager to configure Llama and Impala, see
Installing Impala with Cloudera Manager.
NoteConfiguring Llama to Support Kerberos Security
- Create a Llama service user principal using the syntax: llama/<fully.qualified.domain.name>@<YOUR-REALM>. This principal is used
to authenticate with the Hadoop cluster, where
fully.qualified.domain.name is the host where Llama is running and
YOUR-REALM is the name of your Kerberos
realm:
$ kadmin kadmin: addprinc -randkey llama/fully.qualified.domain.name@M
- Create a keytab file with the Llama
principal:
$ kadmin kadmin: xst -k llama.keytab llama/fully.qualified.domain.name
- Test that the credentials in the keytab file work. For
example:
$ klist -e -k -t llama.keytab
- Copy the llama.keytab file to the Llama configuration directory. The owner of the llama.keytab file should be the llama user and the file should have owner-only read permissions.
- Edit the Llama llama-site.xml configuration file in the
Llama configuration directory by setting the following properties:
Property
Value
llama.am.server.thrift.security true llama.am.server.thrift.kerberos.keytab.file llama/conf.keytab llama.am.server.thrift.kerberos.server.principal.name llama/<fully.qualified.domain.name> llama.am.server.thrift.kerberos.notification.principal.name impala
ImportantYou must restart Llama to make the configuration changes take effect.
| << HCatalog Security Configuration | ZooKeeper Security Configuration >> | |