This is the documentation for Cloudera Manager 5.0.x. Documentation for other versions is available at Cloudera Documentation.

Using Cloudera Manager to Configure Hadoop Security

Important: Ensure you have secured communication between the Cloudera Manager Server and Agents before you enable Kerberos on your cluster. Kerberos keytabs are sent from the Cloudera Manager Server to the Agents, and must be encrypted to prevent potential misuse of leaked keytabs. For secure communication, you should have at least Level 1 TLS enabled as described in Configuring TLS Security for Cloudera Manager (Level 1).

Here are the general steps to using Cloudera Manager to configure Hadoop security on your cluster, each of which is described in more detail in the following sections:

Step 1: Install Cloudera Manager and CDH
Step 2: Set up a Cluster-dedicated KDC and Default Domain for the Hadoop Cluster
Step 3: If You are Using AES-256 Encryption, Install the JCE Policy File
Step 4: Get or Create a Kerberos Principal and Keytab File for the Cloudera Manager Server
Step 5: Deploying the Cloudera Manager Server Keytab
Step 6: Configure the Kerberos Default Realm in the Cloudera Manager Admin Console
Step 7: Stop All Services
Step 8: Enable Hadoop Security
Step 9: Wait for the Generate Credentials Command to Finish
Step 10: Enable Hue to Work with Hadoop Security using Cloudera Manager
Step 11: (Flume Only) Use Substitution Variables for the Kerberos Principal and Keytab
Step 12: (CDH 4.0 and 4.1 only) Configure Hue to Use a Local Hive Metastore
Step 13: Start All Services
Step 14: Deploy Client Configurations
Step 15: Create the HDFS Superuser Principal
Step 16: Get or Create a Kerberos Principal or Keytab for Each User Account
Step 17: Prepare the Cluster for Each User
Step 18: Verify that Kerberos Security is Working
Step 19: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles

Page generated September 3, 2015.