This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Appendix A - Manually Configuring Kerberos Using Cloudera Manager

Required Role:

Note that certain steps in the following procedure to configure Kerberos security may not be completed without Administrator role privileges.

  Important: Ensure you have secured communication between the Cloudera Manager Server and Agents before you enable Kerberos on your cluster. Kerberos keytabs are sent from the Cloudera Manager Server to the Agents, and must be encrypted to prevent potential misuse of leaked keytabs. For secure communication, you should have at least Level 1 TLS enabled as described in Configuring TLS Security for Cloudera Manager (Level 1).
  • Prerequisites - These instructions assume you know how to install and configure Kerberos, you already have a working Kerberos key distribution center (KDC) and realm setup, and that you've installed the Kerberos client packages on all cluster hosts and hosts that will be used to access the cluster. Furthermore, Oozie and Hue require that the realm support renewable tickets. Cloudera Manager supports setting up kerberized clusters with MIT KDC and Active Directory.

    For more information about using Active Directory, see the Microsoft AD documentation.

    For more information about installing and configuring MIT KDC, see:
  • Support
    • Kerberos security in Cloudera Manager has been tested on the following version of MIT Kerberos 5:
      • krb5-1.6.1 on Red Hat Enterprise Linux 5 and CentOS 5
    • Kerberos security in Cloudera Manager is supported on the following versions of MIT Kerberos 5:
      • krb5-1.6.3 on SUSE Linux Enterprise Server 11 Service Pack 1
      • krb5-1.8.1 on Ubuntu
      • krb5-1.8.2 on Red Hat Enterprise Linux 6 and CentOS 6
      • krb5-1.9 on Red Hat Enterprise Linux 6.1

Here are the general steps to using Cloudera Manager to configure Hadoop security on your cluster, each of which is described in more detail in the following sections:

Page generated September 3, 2015.