Configuring kerberized clusters for replication

To replicate HDFS or Hive data between CDP Private Cloud Base 7.1.8 or higher clusters using Kerberos authentication, you must ensure the required ports are open and the clusters are configured as required.

  1. Open the port used for the Kerberos KDC Server and KRB5 services on all the hosts on the destination cluster. By default, this is port 88.
  2. Use one of the following configurations to ensure that the realm names do not create conflicts while running replication jobs:
    • If the clusters do not use the same KDC (Kerberos Key Distribution Center), Cloudera recommends that you use different realm names for each cluster.
    • You can use the same realm name if the clusters use the same KDC or different KDCs that are part of a unified realm, for example where one KDC is the master and the other is a worker KDC.
  3. Configure the following steps on the source and destination clusters so that Replication Manager can replicate data across clusters in two different realms to set up trust between those clusters:
    1. On the hosts in the destination cluster, ensure that the krb5.conf file (typically located at the /etc/kbr5.conf location) on each host has the following information:
      1. KDC information for the source cluster's Kerberos realm. For example:
        SRC.EXAMPLE.COM = {
            kdc =
            admin_server =
            default_domain =
        DST.EXAMPLE.COM = {
            kdc =
            admin_server =
            default_domain =
      2. Realm mapping for the source cluster domain in the [domain_realm] section. For example:
    2. On the destination cluster, perform the following steps:
      1. Search for the Trusted Kerberos Realms property on the HDFS service > Configuration tab.
      2. Enter the source cluster realm name, and click Save Changes.
      3. Search for the Domain Name(s) field in the Administration > Settings section.
      4. Enter the domain or host names you want to map to the destination cluster KDC. Add as many entries as you need.

        The entries in this property are used to generate the domain_realm section in the krb5.conf file.

      5. Click Save Changes.
      6. Remove domain_realm entries in the Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf property.