Cloudera Docs

Setting up trust for hybrid environments

Learn more about how to set up trust for hybrid environments.

Once the hybrid environment has been created, its status changes to Trust Setup Required. Creating a connection between the cloud and on-premises platform, the Cloudera Base cluster acts as the Data Lake for the hybrid cloud environment. The Cloudera Data Hub cluster created in the Cloudera Hybrid Environments can directly access data and metadata in the Cloudera on premises Data Lake cluster. This requires setting up the DNS resolution and a cross-realm trust between FreeIPA in Cloudera on cloud and the DNS and KDC servers used by the Cloudera on premises cluster.

  • You must connect the cloud and on-premises environments by using one of the following options:
    • Connect the cloud and on-premises Control Plane.
    • Register the Cloudera on premises cluster as a Classic Cluster in Cloudera on cloud.

    Ensure that your Cloudera on premises cluster is registered with one of these options. The on-premises Control Plane provides additional functionalities over Classic clusters, such as Data Services and more controlled user-level access to the on-premises data lake services, but it is not mandatory for the hybrid burst to cloud use cases.

  • To have a seamless connection between Cloudera on cloud and Cloudera on premises, you must also connect the Cloudera on cloud Kerberos KDC and DNS server to the same server used by the Cloudera on premises account.

  • You must register your Cloudera on premises Control Plane in the Cloudera Hybrid Environments.

  1. Go to Cloudera Management Console for Cloudera on cloud.
  2. Go to Environments.
  3. Select the environment created in Registering Hybrid Environments.
  4. Select the Data Lake tab.
  5. Click Set Up Connection.
  6. Select the on-premises environment from the drop-down list.
    The system will determine whether your system is running Active Directory or MIT. If the system incorrectly determines whether you are running Active Directory or MIT, you can change it with the toggle.
  7. The wizard will attempt to fetch the required information. If it is unsuccessful, you have to complete the following required fields.
    KDC IP address
    This is the specific IP address of the Domain Controller responsible for authentication and other directory services. You can find this by running nslookup on your KDC FQDN.
    KDC FQDN
    The Fully Qualified Domain Name (FQDN) is the complete domain name for your KDC, such as corp.example.com. It uniquely identifies your domain on the Internet.
    KDC Realm
    The KDC REALM is typically your domain name, but entered in all capital letters (for example, CORP.EXAMPLE.COM). It is used for Kerberos authentication to identify the specific security domain.
    DNS server IP address
    IP address of the DNS server that can resolve the on-premises Data Lake endpoints and the KDC server.
  8. Click Validate and Configure.
  9. In the Authorize On-Premises Components section under Kerberos, click Show instructions.
    Run the commands in section 1 on the Active Directory instance in a command prompt with administrative rights. You must log in with a user who has Domain Administrator, Enterprise Administrator, or equivalent elevated privileges. You can click the Copy button on the right edge of the commands field, or you can use the Download button to download the commands.
    1. Run the commands in section 1 on the MIT KDC instance in a command prompt with administrative rights. You can click the Copy button on the right edge of the commands field, or you can use the Download button to download the commands.
    2. Add the DNS Forward Zone in section 2 to your DNS server with the provided domain and IP address.
  10. In the Authorize on-premises components section, under On-premises Data Lake, click Show Instructions.
  11. Click the Copy button on the right edge of the commands field, or you can use the Download button to download the commands.
  12. Run the commands from Step 10 to create the krb5.conf file in the krb5.conf.d directory on Cloudera on premises. The Kerberos service will automatically process it.
  13. Configure the trusted realms service setting in Cloudera Manager on-premises as described in the Adding trusted realms to the cluster section of the Cloudera Base on premises documentation.
  14. Click Validate and Configure.

When the connection is successful, the data lake services are listed, and the cross-realm setup is finished.

You can start creating Cloudera Data Hub clusters in your hybrid cloud environment.