Viewing and Regenerating Kerberos Principals
As soon as you enable Hadoop secure authentication for HDFS and MapReduce service instances, Cloudera Manager starts creating the Kerberos principals for each of the role instances. The amount of time this process will take depends on the number of hosts and HDFS and MapReduce role instances on your cluster. The process can take from a few seconds for a small cluster to several minutes for a larger cluster. After the process is completed, you can use the Cloudera Manager Admin Console to view the list of Kerberos principals that Cloudera Manager has created for the cluster. Make sure there are principals for each of the hosts and HDFS and MapReduce role instances on your cluster. If there are no principals after 10 minutes, then there is most likely a problem with the principal creation. See the Troubleshooting Kerberos Security Issues section below for more information. If necessary, you can use Cloudera Manager to regenerate the principals.
- Regenerate principals using the following steps in the Cloudera Manager Admin Console and not directly using kadmin shell.
- Do not regenerate the principals for your cluster unless you have made a global configuration change. Before regenerating, be sure to read Appendix B - Set up a Cluster-dedicated MIT KDC and Default Domain for the Hadoop Cluster to avoid making your existing host keytabs invalid.
- If you are using Active Directory, delete the AD accounts with the userPrincipalName (or login names) that you want to manually regenerate before continuing with the steps below.
To view and regenerate the Kerberos principals for your cluster:
- Select .
- The currently configured Kerberos principals are displayed. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
- Only if necessary, select the principals you want to regenerate.
- Click Regenerate.
<< Step 8: Verify that Kerberos Security is Working | Configuring LDAP Group Mappings >> | |