Configuring Authentication in Cloudera Manager
Why Use Cloudera Manager to Implement Kerberos Authentication?
If you do not use Cloudera Manager to implement Hadoop security, you must manually create and deploy the Kerberos principals and keytabs on every host in your cluster. If you have a large number of hosts, this can be a time-consuming and error-prone process. After creating and deploying the keytabs, you must also manually configure properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster to enable and configure Hadoop security in HDFS and MapReduce. You must also manually configure properties in the oozie-site.xml and hue.ini files on certain cluster hosts in order to enable and configure Hadoop security in Oozie and Hue.
Cloudera Manager enables you to automate all of those manual tasks. Cloudera Manager can automatically create and deploy a keytab file for the hdfs user and a keytab file for the mapred user on every host in your cluster, as well as keytab files for the oozie and hue users on select hosts. The hdfs keytab file contains entries for the hdfs principal and a host principal, and the mapred keytab file contains entries for the mapred principal and a host principal. The host principal will be the same in both keytab files. The oozie keytab file contains entries for the oozie principal and a HTTP principal. The hue keytab file contains an entry for the hue principal. Cloudera Manager can also automatically configure the appropriate properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster, and the appropriate properties in oozie-site.xml and hue.ini for select hosts. Lastly, Cloudera Manager can automatically start up the NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles once all the appropriate configuration changes have been made.
Ways to Configure Kerberos Authentication Using Cloudera Manager
- Cloudera Manager 5.1 introduced a new wizard to automate the procedure to set up Kerberos on a cluster. Using the KDC information you enter, the wizard will create new principals and
keytab files for your CDH services. The wizard can be used to deploy the krb5.conf file cluster-wide, and automate other manual tasks such as stopping all services,
deploying client configuration and restarting all services on the cluster.
If you want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Using the Wizard.
- If you do not want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Without the Wizard.
Continue reading:
- Cloudera Manager User Accounts
- Configuring External Authentication for Cloudera Manager
- Kerberos Concepts - Principals, Keytabs and Delegation Tokens
- Enabling Kerberos Authentication Using the Wizard
- Considerations when using an Active Directory KDC
- Step 1: Install Cloudera Manager and CDH
- Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
- Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
- Step 4: Enabling Kerberos Using the Wizard
- Step 5: Create the HDFS Superuser
- Step 6: Get or Create a Kerberos Principal for Each User Account
- Step 7: Prepare the Cluster for Each User
- Step 8: Verify that Kerberos Security is Working
- Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
- Enabling Kerberos Authentication for Single User Mode or Non-Default Users
- Configuring a Cluster with Custom Kerberos Principals
- Viewing and Regenerating Kerberos Principals
- Mapping Kerberos Principals to Short Names
- Using Auth-to-Local Rules to Isolate Cluster Users
- Configuring Kerberos for Flume Thrift Source and Sink
- Configuring YARN for Long-running Applications
- Enabling Kerberos Authentication Without the Wizard
- Step 1: Install Cloudera Manager and CDH
- Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
- Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
- Step 4: Import KDC Account Manager Credentials
- Step 5: Configure the Kerberos Default Realm in the Cloudera Manager Admin Console
- Step 6: Stop All Services
- Step 7: Enable Hadoop Security
- Step 8: Wait for the Generate Credentials Command to Finish
- Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager
- Step 10: (Flume Only) Use Substitution Variables for the Kerberos Principal and Keytab
- Step 11: (CDH 4.0 and 4.1 only) Configure Hue to Use a Local Hive Metastore
- Step 12: Start All Services
- Step 13: Deploy Client Configurations
- Step 14: Create the HDFS Superuser Principal
- Step 15: Get or Create a Kerberos Principal for Each User Account
- Step 16: Prepare the Cluster for Each User
- Step 17: Verify that Kerberos Security is Working
- Step 18: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles