Configuring a secure Kudu cluster using Cloudera Manager
You can configure a secure Kudu cluster using Cloudera Manager. For that you need enabled Kerberos authentication and RPC encryption, configure coarse-grained authorization, and configure HTTPS encryption. Optionally you can configure custom Kerberos principal, TLS/SSL encryption or fine-grained authorization using Ranger.
Enabling Kerberos authentication and RPC encryption You must already have a secure Cloudera Manager cluster with Kerberos authentication enabled. Configuring custom Kerberos principal for Kudu You can configure a custom Kerberos principal for Kudu using Cloudera Manager. Configuring coarse-grained authorization with ACLs The coarse-grained authorization can be configured with the following two ACLs: the Superuser Access Control List and the User Access Control List. The Superuser ACL is the list of all the superusers that can access the cluster. User-level access can be controlled by using the User ACL. By default, all the users can access the clusters. But when you enable authentication using Kerberos, only the users who are able to authenticate successfully can access the cluster. Configuring TLS/SSL encryption for Kudu using Cloudera Manager TLS/SSL encryption is enabled between Kudu servers and clients by default. You can enable TLS/SSL encryption for Kudu web UIs or configure the encryption using Cloudera Manager. Enabling Ranger authorization You can configure fine-grained authorization using Apache Ranger. This topic provides the steps to enable Kudu's integration with Ranger from Cloudera Manager. Configuring HTTPS encryption Lastly, you enable TLS/SSL encryption (over HTTPS) for browser-based connections to both the Kudu master and tablet server web UIs. Configuring data at rest encryption You can enable data at rest encryption using Cloudera Manager. However, you can enable it only for a fresh installation and once Kudu directories exist on the cluster you cannot disable the encryption.