Enabling Kerberos Authentication Using Cloudera Manager
Important: Ensure you have secured communication between the
Cloudera Manager Server and Agents before you enable Kerberos on your cluster. Kerberos
keytabs are sent from the Cloudera Manager Server to the Agents, and must be encrypted to
prevent potential misuse of leaked keytabs. For secure communication, you should have at least Level 1 TLS enabled as described in Configuring TLS Security for Cloudera Manager (Level 1).
This guide describes how to use Cloudera Manager and the Kerberos wizard (introduced in Cloudera Manager 5.1.0) to automate many of the manual tasks of implementing Kerberos security on your CDH cluster.
- Prerequisites - These instructions
assume you know how to install and configure Kerberos, you already have a working Kerberos
key distribution center (KDC) and realm setup, and that you've installed the Kerberos
client packages on all cluster hosts and hosts that will be used to access the cluster.
Furthermore, Oozie and Hue require that the realm support renewable tickets. Cloudera
Manager supports setting up kerberized clusters with MIT KDC and Active Directory.
For more information about using Active Directory, see the Microsoft AD documentation.
For more information about installing and configuring MIT KDC, see: - Support
- Kerberos security in Cloudera Manager has been tested on the
following version of MIT Kerberos 5:
- krb5-1.6.1 on Red Hat Enterprise Linux 5 and CentOS 5
- Kerberos security in Cloudera Manager is supported on the
following versions of MIT Kerberos 5:
- krb5-1.6.3 on SUSE Linux Enterprise Server 11 Service Pack 1
- krb5-1.8.1 on Ubuntu
- krb5-1.8.2 on Red Hat Enterprise Linux 6 and CentOS 6
- krb5-1.9 on Red Hat Enterprise Linux 6.1
- Kerberos security in Cloudera Manager has been tested on the
following version of MIT Kerberos 5:
- Step 1: Install Cloudera Manager and CDH
- Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
- Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
- Step 4: Enabling Kerberos Using the Wizard
- Step 5: Create the HDFS Superuser
- Step 6: Get or Create a Kerberos Principal for Each User Account
- Step 7: Prepare the Cluster for Each User
- Step 8: Verify that Kerberos Security is Working
<< Why Use Cloudera Manager to Implement Hadoop Security? | Step 1: Install Cloudera Manager and CDH >> | |