Why Use Cloudera Manager to Implement Hadoop Security?
If you don't use Cloudera Manager to implement Hadoop security, you must manually create and deploy the Kerberos principals and keytabs on every host machine in your cluster. If you have a large number of hosts, this can be a time-consuming and error-prone process as described in the CDH3 Security Guide and CDH4 Security Guide. After creating and deploying the keytabs, you must also manually configure properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every machine in the cluster to enable and configure Hadoop security in HDFS and MapReduce. You must also manually configure properties in the oozie-site.xml and hue.ini files on certain cluster machines in order to enable and configure Hadoop security in Oozie and Hue.
Cloudera Manager enables you to automate all of those manual tasks. Cloudera Manager can automatically create and deploy a keytab file for the hdfs user and a keytab file for the mapred user on every machine in your cluster, as well as keytab files for the oozie and hue users on select machines. The hdfs keytab file contains entries for the hdfs principal and a host principal, and the mapred keytab file contains entries for the mapred principal and a host principal. The host principal will be the same in both keytab files. The oozie keytab file contains entries for the oozie principal and a HTTP principal. The hue keytab file contains an entry for the hue principal. Cloudera Manager can also automatically configure the appropriate properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every machine in the cluster, and the appropriate properties in oozie-site.xml and hue.ini for select machines. Lastly, Cloudera Manager can automatically start up the NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles once all the appropriate configuration changes have been made.