Step 6: Get or Create a Kerberos Principal for Each User Account
Now that Kerberos is configured and enabled on your cluster, you and every other Hadoop user must have a Kerberos principal or keytab to obtain Kerberos credentials to be allowed to access the cluster and use the Hadoop services. In the next step of this procedure, you will need to create your own Kerberos principals in order to verify that Kerberos security is working on your cluster. If you and the other Hadoop users already have a Kerberos principal or keytab, or if your Kerberos administrator can provide them, you can skip ahead to the next step.
The following instructions explain how to create a Kerberos principal for a user account.
If you are using Active Directory
Add a new AD user account, <username>@YOUR-REALM.COM for each Cloudera Manager service that should use Kerberos authentication.
If you are using MIT KDC
- In the kadmin.local or kadmin shell, use the following command to create a principal for your account by replacing YOUR-LOCAL-REALM.COM with the name of
your realm, and replacing USERNAME with a username:
kadmin: addprinc USERNAME@YOUR-LOCAL-REALM.COM
- When prompted, enter the password twice.