This is the documentation for CDH 4.6.0.
Documentation for other versions is available at Cloudera Documentation.

Flume Security Configuration

Flume agents have the ability to store data on an HDFS filesystem configured with Hadoop security. The Kerberos system and protocols authenticate communications between clients and services. Hadoop clients include users and MapReduce jobs on behalf of users, and the services include HDFS and MapReduce. Flume acts as a Kerberos principal (user) and needs Kerberos credentials to interact with the Kerberos security-enabled service. Authenticating a user or a service can be done using a Kerberos keytab file. This file contains a key that is used to obtain a ticket-granting ticket (TGT). The TGT is used to mutually authenticate the client and the service via the Kerberos KDC.

The following sections describe how to use Flume 1.3.x and CDH4 with Kerberos security on your Hadoop cluster:
  Important:

To enable Flume to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Configuring Hadoop Security in CDH4.

  Note:

These instructions have been tested with CDH4 and MIT Kerberos 5 only. The following instructions describe an example of how to configure a Flume agent to be a client as the user flume to a secure HDFS service. This section does not describe how to secure the communications between Flume agents, which is not currently implemented.