Llama Authentication

This section describes how to configure Llama in CDH 5 with Kerberos security in a Hadoop cluster.

Configuring Llama to Support Kerberos Security

  1. Create a Llama service user principal using the syntax: llama/fully.qualified.domain.name@YOUR-REALM. This principal is used to authenticate with the Hadoop cluster, where fully.qualified.domain.name is the host where Llama is running and YOUR-REALM is the name of your Kerberos realm:
    $ kadmin
    kadmin: addprinc -randkey 
    llama/fully.qualified.domain.name@YOUR-REALM
  2. Create a keytab file with the Llama principal:
    $ kadmin
    kadmin: xst -k llama.keytab llama/fully.qualified.domain.name
  3. Test that the credentials in the keytab file work. For example:
    $ klist -e -k -t llama.keytab
  4. Copy the llama.keytab file to the Llama configuration directory. The owner of the llama.keytab file should be the llama user and the file should have owner-only read permissions.
  5. Edit the Llama llama-site.xml configuration file in the Llama configuration directory by setting the following properties:
    Property Value
    llama.am.server.thrift.security true
    llama.am.server.thrift.kerberos.keytab.file llama/conf.keytab
    llama.am.server.thrift.kerberos.server.principal.name llama/fully.qualified.domain.name
    llama.am.server.thrift.kerberos.notification.principal.name impala
  6. Restart Llama to make the configuration changes take effect.