Configuring Kerberos

All Cloudera Operational Databases (CODs) are secured with Kerberos-based authentication, meaning that only authorized users can connect to your database. All HBase and Phoenix Thick JDBC clients must have a proper Kerberos configuration on the host where they run a client.

  1. Run the following command to obtain the necessary Kerberos information and a sufficient krb5.conf file encoded with Base64 :
    $ cdp opdb describe-client-connectivity --environment-name [***YOUR ENVIRONMENT***] \
    		--database-name [***YOUR DATABASE NAME***] | jq -r \
    		‘.kerberosConfiguration.krb5Conf’ | base64 --decode
    
  2. Copy the output of the command.
  3. Add the contents into the /etc/krb5.conf file on your edge node.
Validate that Kerberos is correctly set up. Use the kinit command to validate that you are able to obtain a Kerberos ticket:
$ kinit [***CDP WORKLOAD NAME***]
Password: [***CDP WORKLOAD PASSWORD***]

For more information, see CDP workload user and Setting the workload password.

If you successfully authenticate, you will not receive an error and will be able to validate that you have a ticket using the klist command. For more information, see Installing CDP CLI beta.