Managing Kerberos Credentials Using Cloudera Manager

Minimum Required Role: Full Administrator

As soon as you enable Hadoop secure authentication for HDFS and MapReduce service instances, Cloudera Manager starts creating the Kerberos principals for each of the role instances. The amount of time this process will take depends on the number of hosts and HDFS and MapReduce role instances on your cluster. The process can take from a few seconds for a small cluster to several minutes for a larger cluster. After the process is completed, you can use the Cloudera Manager Admin Console to view the list of Kerberos principals that Cloudera Manager has created for the cluster. Make sure there are principals for each of the hosts and HDFS and MapReduce role instances on your cluster. If there are no principals after 10 minutes, then there is most likely a problem with the principal creation. See the Troubleshooting Authentication Issues section for more information. If necessary, you can use Cloudera Manager to regenerate the principals.

Managing Active Directory Account Properties

If you are using an Active Directory KDC, Cloudera Manager 5.8 (and higher) will allow you to configure Active Directory accounts and customize the credential regeneration process using the Cloudera Manager Admin Console. You can also use Cloudera Manager to configure the encryption types to be used by your Active Directory account. Once you modify any Active Directory account properties, you must regenerate Kerberos credentials to reflect those changes. The credential regeneration process requires you to delete existing accounts before new ones are created.

By default, Cloudera Manager does not delete accounts in Active Directory. Hence, to regenerate Kerberos principals contained in Active Directory, you need to manually delete the existing Active Directory accounts. You can either delete and regenerate all existing Active Directory accounts, or only delete those with the userPrincipalName (or login name) that you will later manually select for regeneration. If the accounts haven't already been deleted manually, the regeneration process will throw an error message saying that deletion of accounts is required before you proceed.

Modifying Active Directory Account Properties Using Cloudera Manager

If you are using an Active Directory KDC, you can configure Active Directory account properties such as objectClass and accountExpires directly from the Cloudera Manager Admin Console. Any changes to these properties will be reflected in the regenerated Kerberos credentials. To configure AD account properties:
  1. Go to the Cloudera Manager Admin Console and click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Active Directory Account Properties and edit as required. By default, the property will be set to:
    accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user
  5. Locate the Active Directory Password Properties and edit the field as needed. By default, the property will be set to:
    length=12,minLowerCaseLetters=2,minUpperCaseLetters=2,minDigits=2,minSpaces=0,minSpecialChars=0,specialChars=?.!$%^*()-_+=~
  6. Click Save Changes to commit the changes.
  7. Regenerate Kerberos credentials with the new properties.

Enabling Credential Regeneration for Active Directory Accounts Using Cloudera Manager

To avoid having to delete accounts manually, use the following steps to set the Active Directory Delete Accounts on Credential Regeneration property to allow Cloudera Manager to automatically delete existing Active Directory accounts when new ones are created during regeneration. If this property is left unchecked (which is the default), Cloudera Manager will not be able to regenerate credentials automatically.

  1. Go to the Cloudera Manager Admin Console and click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Active Directory Delete Accounts on Credential Regeneration and check this property.
  5. Click Save Changes to commit the changes.

Configuring Encryption Types for Active Directory KDC Using Cloudera Manager

Cloudera Manager allows you to configure the encryption types (or enctype) used by an Active Directory KDC to protect its data. Cloudera supports the following encryption types:
  • rc4-hmac
  • aes128-cts
  • aes256-cts
  • des-cbc-crc
  • des-cbc-md5
To configure encryption types for an Active Directory KDC:
  1. Go to the Cloudera Manager Admin Console and click the Administration tab.
  2. Select Administration > Settings.
  3. Click the Kerberos category.
  4. Locate the Kerberos Encryption Types and click to add the encryption types you want Active Directory to use. Make sure they are on Cloudera's list of supported enctypes.
  5. Check the checkbox for the Active Directory Set Encryption Types property. This will automatically set the Cloudera Manager AD account to use the encryption types configured in the previous step.
  6. Click Save Changes to commit the changes.

Moving Kerberos Principals to Another OU Within Active Directory

If you have a Kerberized cluster configured with an Active Directory KDC, you can use the following steps to move the Kerberos principals from one AD Ogranizational Unit (OU) to another.
  1. Create the new OU on the Active Directory Server.
  2. Use AD's Delegate Control wizard to set the permissions on the new OU such that the configured Cloudera Manager admin account has the ability to Create, Delete and Manage User Accounts within this OU.
  3. Stop the cluster.
  4. Stop the Cloudera Management Service.
  5. In Active Directory, move all the Cloudera Manager and CDH components' user accounts to the new OU.
  6. Go to Cloudera Manager and go to Administration > Security.
  7. Go to the Kerberos Credentials tab and click Configuration.
  8. Select Scope > Settings.
  9. Select Category > Kerberos.
  10. Locate the Active Directory Suffix property and edit the value to reflect the new OU name.
  11. Click Save Changes to commit the changes.

Viewing and Regenerating Kerberos Credentials Using Cloudera Manager (MIT and AD)

Use the following instructions to regenerate the principals for your cluster.
  1. Select Administration > Security.
  2. The currently configured Kerberos principals are displayed under the Kerberos Credentials tab. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
  3. Only if necessary, select the principals you want to regenerate.
  4. Click Regenerate.

Running the Security Inspector

The Security Inspector uses the Host Inspector to run a security-related set of commands on the hosts in your cluster. It reports on matters such as how Java is configured for encryption and on the default realms configured on each host:
  1. Select Administration > Security.
  2. Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
  3. After the inspection completes, click Download Result Data or Show Inspector Results to review the results.