Creating Kerberized Clusters With Altus Director

Using Altus Director 2.0 and higher with Cloudera Manager 5.5.0 and higher, you can create and configure Kerberized Cloudera Manager clusters. To launch a Kerberized cluster, edit the configuration file as described below and launch the cluster with Altus Director client, using the bootstrap-remote command to send the configuration file to a running Altus Director server.

You must have an existing Kerberos Key Distribution Center (KDC) set up, and it must be reachable by the instance where Altus Director server is running and the instances where your Cloudera Manager cluster will be deployed. You must also set up a Kerberos realm for the cluster and a principal in that realm.

Creating a Kerberized Cluster with the Altus Director Configuration File

A sample configuration file for creating Kerberized Cloudera Manager clusters is available on the Cloudera GitHub site: director-scripts/kerberos/aws.kerberos.sample.conf.

The settings for enabling Kerberos are in the Cloudera Manager section of the configuration file. Provide values for the following configuration settings:

Configuration setting Description
krbAdminUsername An administrative Kerberos account with permissions that allow the creation of principals on the KDC that Cloudera Manager will be using. This is typically in the format principal@your.KDC.realm
krbAdminPassword The password for the administrative Kerberos account.
KDC_TYPE The type of KDC Cloudera Manager will use. Valid values are "MIT KDC" and "Active Directory".
KDC_HOST The hostname or IP address of the KDC.
SECURITY_REALM The security realm that the KDC uses.
AD_KDC_DOMAIN Active Directory suffix where all the accounts used by CDH daemons will be created. Used only if Active Directory KDC is being used for authentication. This configuration should be in the format of an X.500 Directory Specification (DC=domain,DC=example,DC=com).
KRB_MANAGE_KRB5_CONF Set this to true. This allows Cloudera Manager to deploy Kerberos configurations to cluster instances. The value false is not supported for this configuration setting.
KRB_ENC_TYPES The encryption types your KDC supports. Some of encryption types listed in the sample configuration file require the unlimited strength JCE policy files.

Other Kerberos configuration options are available to Cloudera Manager. For more information, see Configuring Authentication in the Cloudera Security guide.

The following example shows the cloudera-manager section of a configuration file with MIT KDC Kerberos enabled:

cloudera-manager {
   instance: ${instances.cm-image} {
      tags {
         application: "Cloudera Manager 5"
      }
   }
        
#
# Automatically activate 60-Day Cloudera Enterprise Trial
#
   enableEnterpriseTrial: true
        
   unlimitedJce: true
# Kerberos principal and password for use by Altus Director 
   krbAdminUsername: "principal@my.kdc.realm"
   krbAdminPassword: "password"      

# Cloudera Manager configuration values  
   configs {
      CLOUDERA_MANAGER {
         KDC_TYPE: "MIT KDC"
         KDC_HOST: "KDC_host_ip_address"
         SECURITY_REALM: "my_security_realm"
         KRB_MANAGE_KRB5_CONF: true
         KRB_ENC_TYPES: "aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc"
      }
   }
}