Cloudera Docs

Configuring Kerberos

All Cloudera Operational Databases (CODs) are secured with Kerberos-based authentication, which means only authorized users can connect to your database. All HBase and Phoenix Thick JDBC clients must have a Kerberos configuration on the host where they run a client.

  1. Run the following command to obtain the necessary Kerberos information and a sufficient krb5.conf file encoded with Base64. 
    $ cdp opdb describe-client-connectivity --environment-name [***YOUR ENVIRONMENT***] \
		--database-name [***YOUR DATABASE NAME***] | jq -r \
		‘.kerberosConfiguration.krb5Conf’ | base64 --decode
  2. Copy the output of the command.
  3. Add the contents into the /etc/krb5.conf file on your instance.
Validate that Kerberos is correctly set up. Use the kinit command to validate that you are able to obtain a Kerberos ticket.
$ kinit [***CDP WORKLOAD NAME***]
Password: [***CDP WORKLOAD PASSWORD***]

For more information, see CDP workload user and Setting the workload password.

If you successfully authenticate, you do not receive an error and can validate that you have a ticket using the klist command. For more information, see Installing CDP CLI beta.

After configuring the Kerberos successfully, you must compile your instance or application against the COD database. For more information, see Compiling Applications.