Step 8: Enable Hadoop Security
To enable Hadoop security for the cluster, you enable it on an HDFS service. After you do so, the Cloudera Manager Server automatically enables Hadoop security on the MapReduce and YARN services associated with that HDFS service.
- Navigate to the HDFS Service > Configuration tab and click View and Edit.
- In the Search field, type Hadoop Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
- Click the value for the Hadoop Secure Authentication property and select the kerberos option to enable Hadoop security on the selected HDFS service.
- Click the value for the Hadoop Secure
Authorization property and select the checkbox to enable service-level
authorization on the selected HDFS service. You can specify comma-separated lists of
users and groups authorized to use Hadoop services and/or perform admin operations
using the following properties under the Service-Wide > Security
section:
- Authorized Users: Comma-separated list of users authorized to use Hadoop services.
- Authorized Groups: Comma-separated list of groups authorized to use Hadoop services.
- Authorized Admin Users: Comma-separated list of users authorized to perform admin operations on Hadoop.
- Authorized Admin Groups: Comma-separated list of groups authorized to perform admin operations on Hadoop.
Important: For Cloudera Manager's Monitoring services to work, the hue user should always be added as an authorized user. - In the Search field, type DataNode Transceiver to find the DataNode Transceiver Port property.
- Click the value for the DataNode Transceiver Port property and specify a privileged port number (below 1024). Cloudera recommends 1004. Note
: If there is more than one DataNode Role Group, you must specify a privileged port number for each DataNode Transceiver Port property. - In the Search field, type DataNode HTTP to find the DataNode HTTP Web UI Port property and specify a privileged port number (below 1024). Cloudera recommends 1006. Note
: These port numbers for the two DataNode properties must be below 1024 in order to provide part of the security mechanism to make it impossible for a user to run a MapReduce task that impersonates a DataNode. The port numbers for the NameNode and Secondary NameNode can be anything you want, but the default port numbers are good ones to use. - In the Search field type Data Directory Permissions to find the DataNode Data Directory Permissions property.
- Reset the value for the DataNode Data Directory Permissions property to the default value of 700 if not already set to that.
- Make sure you have changed the DataNode Transceiver Port, DataNode Data Directory Permissions and DataNode HTTP Web UI Port properties for every DataNode role group.
- Click Save Changes to save the configuration settings.
To enable ZooKeeper security:
- Navigate to the ZooKeeper Service > Configuration tab and click View and Edit.
- Click the value for Enable Kerberos Authentication property.
- Click Save Changes to save the configuration settings.
To enable HBase security:
- Navigate to the HBase Service > Configuration tab and click View and Edit.
- In the Search field, type HBase Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
- Click the value for the HBase Secure Authorization property and select the checkbox to enable authorization on the selected HBase service.
- Click the value for the HBase Secure Authentication property and select kerberos to enable authorization on the selected HBase service.
- Click Save Changes to save the configuration settings.
(CDH 4.3 or later) To enable Solr
security:
- Navigate to the Solr Service > Configuration tab and click View and Edit.
- In the Search field, type Solr Secure to show the Solr security properties (found under the Service-Wide > Security category).
- Click the value for the Solr Secure Authentication property and select kerberos to enable authorization on the selected Solr service.
- Click Save Changes to save the configuration settings.
Note: If you use the Cloudera Manager Admin Console to generate a client configuration file after you enable Hadoop security on your cluster, the generated configuration file will not contain the Kerberos principal and keytab file that end users need to authenticate. Users must obtain Kerberos principal and keytab file from your Kerberos administrator and then run the kinit command themselves.
<< Step 7: Stop All Services | Step 9: Wait for the Generate Credentials Command to Finish >> | |