Creating Kerberized Clusters With Altus Director
Using Altus Director 2.0 and higher with Cloudera Manager 5.5.0 and higher, you can create and configure Kerberized Cloudera Manager clusters. To launch a Kerberized cluster, edit the configuration file as described below and launch the cluster with Altus Director client, using the bootstrap-remote command to send the configuration file to a running Altus Director server.
You must have an existing Kerberos Key Distribution Center (KDC) set up, and it must be reachable by the instance where Altus Director server is running and the instances where your Cloudera Manager cluster will be deployed. You must also set up a Kerberos realm for the cluster and a principal in that realm.
Creating a Kerberized Cluster with the Altus Director Configuration File
A sample configuration file for creating Kerberized Cloudera Manager clusters is available on the Cloudera GitHub site: director-scripts/kerberos/aws.kerberos.sample.conf.
The settings for enabling Kerberos are in the Cloudera Manager section of the configuration file. Provide values for the following configuration settings:
Configuration setting | Description |
---|---|
krbAdminUsername | An administrative Kerberos account with permissions that allow the creation of principals on the KDC that Cloudera Manager will be using. This is typically in the format principal@your.KDC.realm |
krbAdminPassword | The password for the administrative Kerberos account. |
KDC_TYPE | The type of KDC Cloudera Manager will use. Valid values are "MIT KDC" and "Active Directory". |
KDC_HOST | The hostname or IP address of the KDC. |
SECURITY_REALM | The security realm that the KDC uses. |
AD_KDC_DOMAIN | Active Directory suffix where all the accounts used by CDH daemons will be created. Used only if Active Directory KDC is being used for authentication. This configuration should be in the format of an X.500 Directory Specification (DC=domain,DC=example,DC=com). |
KRB_MANAGE_KRB5_CONF | Set this to true. This allows Cloudera Manager to deploy Kerberos configurations to cluster instances. The value false is not supported for this configuration setting. |
KRB_ENC_TYPES | The encryption types your KDC supports. Some of encryption types listed in the sample configuration file require the unlimited strength JCE policy files. |
Other Kerberos configuration options are available to Cloudera Manager. For more information, see Configuring Authentication in the Cloudera Security guide.
The following example shows the cloudera-manager section of a configuration file with MIT KDC Kerberos enabled:
cloudera-manager { instance: ${instances.cm-image} { tags { application: "Cloudera Manager 5" } } # # Automatically activate 60-Day Cloudera Enterprise Trial # enableEnterpriseTrial: true unlimitedJce: true # Kerberos principal and password for use by Altus Director krbAdminUsername: "principal@my.kdc.realm" krbAdminPassword: "password" # Cloudera Manager configuration values configs { CLOUDERA_MANAGER { KDC_TYPE: "MIT KDC" KDC_HOST: "KDC_host_ip_address" SECURITY_REALM: "my_security_realm" KRB_MANAGE_KRB5_CONF: true KRB_ENC_TYPES: "aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc" } } }