Step 4: Enabling Kerberos Using the Wizard
Minimum Required Role: Full Administrator
- Go to the Cloudera Manager Admin Console and click to the right of the cluster for which you want to enable Kerberos authentication.
- Select Enable Kerberos.
The steps below instructions will guide you through the wizard to secure your cluster.
Before you Begin Using the Wizard
- Set up a working KDC. Cloudera Manager supports authentication with MIT KDC and Active Directory.
- Configure the KDC to allow renewable tickets with non-zero ticket lifetimes.
Active Directory allows renewable tickets with non-zero lifetimes by default. You can verify this by checking
in Active Directory.For MIT KDC, make sure you have the following lines in the kdc.conf.max_life = 1d max_renewable_life = 7d
- If you are using Active Directory, make sure LDAP over TLS/SSL (LDAPS) is enabled for the Domain Controllers.
- Hostnames must be in lowercase. If you use uppercase letters in any hostname, the cluster services will not start after enabling Kerberos.
- Install the OS-specific packages for your cluster listed in the table:
OS Packages Required RHEL 7 Compatible, RHEL 6 Compatible - openldap-clients on the Cloudera Manager Server host
- krb5-workstation, krb5-libs on ALL hosts
SLES - openldap2-client on the Cloudera Manager Server host
- krb5-client on ALL hosts
Ubuntu - ldap-utils on the Cloudera Manager Server host
- krb5-user on ALL hosts
Windows - krb5-workstation, krb5-libs on ALL hosts
- Create an account for Cloudera Manager that has the permissions to create other accounts in the KDC. This should have been completed as part of Step 3: Create the Kerberos Principal for Cloudera Manager Server.
Once you are able to check all the items on this list, click Continue.
KDC Information
Click Continue to proceed.
KRB5 Configuration
Manage krb5.conf through Cloudera Manager allows you to choose whether Cloudera Manager should deploy the krb5.conf on your cluster or not. If left unchecked, you must ensure that the krb5.conf is deployed on all hosts in the cluster, including the Cloudera Manager Server's host.
If you check Manage krb5.conf through Cloudera Manager, this page will let you configure the properties that will be emitted in it. In particular, the safety valves on this page can be used to configure cross-realm authentication. More information can be found at Configuring a Dedicated MIT KDC for Cross-Realm Trust.
Click Continue to proceed.
Import KDC Account Manager Credentials
Enter the username and password for the user that can create principals for CDH cluster in the KDC. This is the user/principal you created in Step 3: Create the Kerberos Principal for Cloudera Manager Server. Cloudera Manager encrypts the username and password into a keytab and uses it as needed to create new principals.
Click Continue to proceed.
(Optional) Configuring Custom Kerberos Principals
You can configure custom service principals for CDH services. Before you begin making configuration changes, see Customizing Kerberos Principals for some additional configuration changes required and limitations.
Configure HDFS DataNode Ports
On this page, specify the privileged ports needed by the DataNode's Transceiver Protocol and the HTTP Web UI in a secure cluster.
Use the checkbox to confirm you are ready to restart the cluster. Click Continue.
Enabling Kerberos
This page lets you track the progress made by the wizard as it first stops all services on your cluster, deploys the krb5.conf, generates keytabs for other CDH services, deploys client configuration and finally restarts all services. Click Continue.
Congratulations
The final page lists the cluster(s) for which Kerberos has been successfully enabled. Click Finish to return to the Cloudera Manager Admin Console home page.