Step 7: Enable Hadoop Security
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
To enable Hadoop security for the cluster, you enable it on an HDFS service. After you do so, the Cloudera Manager Server automatically enables Hadoop security on the MapReduce and YARN services associated with that HDFS service.
- Go to the HDFS Service > Configuration tab.
- In the Search field, type Hadoop Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
- Click the value for the Hadoop Secure Authentication property and select the kerberos option to enable Hadoop security on the selected HDFS service.
- Click the value for the Hadoop Secure Authorization property and select the checkbox to enable service-level authorization on the selected HDFS service.
You can specify comma-separated lists of users and groups authorized to use Hadoop services or perform admin operations using the following properties under the Service-Wide > Security section:
- Authorized Users: Comma-separated list of users authorized to use Hadoop services.
- Authorized Groups: Comma-separated list of groups authorized to use Hadoop services.
- Authorized Admin Users: Comma-separated list of users authorized to perform admin operations on Hadoop.
- Authorized Admin Groups: Comma-separated list of groups authorized to perform admin operations on Hadoop.
- In the Search field, type DataNode Transceiver to find the DataNode Transceiver Port property.
- Click the value for the DataNode Transceiver Port property and specify a privileged port number (below 1024). Cloudera recommends 1004.
- In the Search field, type DataNode HTTP to find the DataNode HTTP Web UI Port property and specify a privileged port number (below 1024). Cloudera recommends 1006.
- In the Search field type Data Directory Permissions to find the DataNode Data Directory Permissions property.
- Reset the value for the DataNode Data Directory Permissions property to the default value of 700 if not already set to that.
- Make sure you have changed the DataNode Transceiver Port, DataNode Data Directory Permissions and DataNode HTTP Web UI Port properties for every DataNode role group.
- Click Save Changes to save the configuration settings.
To enable ZooKeeper security:
- Go to the ZooKeeper Service > Configuration tab and click View and Edit.
- Click the value for Enable Kerberos Authentication property.
- Click Save Changes to save the configuration settings.
To enable HBase security:
- Go to the HBase Service > Configuration tab and click View and Edit.
- In the Search field, type HBase Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
- Click the value for the HBase Secure Authorization property and select the checkbox to enable authorization on the selected HBase service.
- Click the value for the HBase Secure Authentication property and select kerberos to enable authorization on the selected HBase service.
- Click Save Changes to save the configuration settings.
(CDH 4.3 or later) To enable Solr security:
- Go to the Solr Service > Configuration tab and click View and Edit.
- In the Search field, type Solr Secure to show the Solr security properties (found under the Service-Wide > Security category).
- Click the value for the Solr Secure Authentication property and select kerberos to enable authorization on the selected Solr service.
- Click Save Changes to save the configuration settings.