Creating Kerberized Clusters With Altus Director

Using Altus Director 2.0 and higher with Cloudera Manager 5.5.0 and higher, you can create and configure Kerberized Cloudera Manager clusters. To launch a Kerberized cluster, edit the configuration file as described below and launch the cluster with Altus Director client, using the bootstrap-remote command to send the configuration file to a running Altus Director server.

You must have an existing Kerberos Key Distribution Center (KDC) set up, and it must be reachable by the instance where Altus Director server is running and the instances where your Cloudera Manager cluster will be deployed. You must also set up a Kerberos realm for the cluster and a principal in that realm.

Creating a Kerberized Cluster with the Altus Director Configuration File

A sample configuration file for creating Kerberized Cloudera Manager clusters is available on the Cloudera GitHub site: director-scripts/kerberos/aws.kerberos.sample.conf.

The settings for enabling Kerberos are in the Cloudera Manager section of the configuration file. Provide values for the following configuration settings:

Configuration setting Description
krbAdminUsername An administrative Kerberos account with permissions that allow the creation of principals on the KDC that Cloudera Manager will be using. This is typically in the format principal@your.KDC.realm
krbAdminPassword The password for the administrative Kerberos account.
KDC_TYPE The type of KDC Cloudera Manager will use. Valid values are "MIT KDC" and "Active Directory".
KDC_HOST The hostname or IP address of the KDC.
SECURITY_REALM The security realm that the KDC uses.
AD_KDC_DOMAIN Active Directory suffix where all the accounts used by CDH daemons will be created. Used only if Active Directory KDC is being used for authentication. This configuration should be in the format of an X.500 Directory Specification (DC=domain,DC=example,DC=com).
KRB_MANAGE_KRB5_CONF If set to true, allows Cloudera Manager to deploy Kerberos configurations to cluster instances. If false, Cloudera Manager does not deploy Kerberos configurations to cluster instances. You must set up your own method to deploy Kerberos configuration to the cluster instances.
KRB_ENC_TYPES The encryption types your KDC supports. Some of encryption types listed in the sample configuration file require the unlimited strength JCE policy files.

Other Kerberos configuration options are available to Cloudera Manager. For more information, see Configuring Authentication in the Cloudera Security guide.

The following example shows the cloudera-manager section of a configuration file with MIT KDC Kerberos enabled:

cloudera-manager {
   instance: ${} {
      tags {
         application: "Cloudera Manager 5"
# Automatically activate 60-Day Cloudera Enterprise Trial
   enableEnterpriseTrial: true
   unlimitedJce: true
# Kerberos principal and password for use by Altus Director 
   krbAdminUsername: "principal@my.kdc.realm"
   krbAdminPassword: "password"      

# Cloudera Manager configuration values  
   configs {
         KDC_TYPE: "MIT KDC"
         KDC_HOST: "KDC_host_ip_address"
         SECURITY_REALM: "my_security_realm"
         KRB_MANAGE_KRB5_CONF: true
         KRB_ENC_TYPES: "aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc"