Step 17: (Optional) Require Authentication for HTTP Web Consoles

Required Role: Configurator, Cluster Administrator, or Full Administrator

Access to the web consoles for HTTP services, such as HDFS, MapReduce, and YARN roles can be restricted to only those users with valid Kerberos credentials. After configuring the cluster services as detailed below, the web service and the browser negotiate the authentication process using SPNEGO.

To require authentication for HTTP services on the cluster, including Web UIs:
  1. From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to enable authentication.
  2. Click the Configuration tab.
  3. Under the Scope filter, click service_name (Service-Wide).
  4. Under the Category filter, click Security to display the security configuration options.
  5. In the Enable Kerberos Authentication for HTTP Web-Consoles setting, click the box to activate authentication requirement for the selected service_name (Service-Wide).
  6. Click Save Changes to save the change.

Cloudera Manager generates new credentials for the service. When the process finishes, restart all roles for that service.

Repeat this process for the other services for which you want to require Kerberos authentication.

Configure your browser to support authentication to the HTTP services by following the appropriate steps for your browser in How to Configure Browsers for Kerberos Authentication.