Configuring Authentication in Cloudera Manager
Why Use Cloudera Manager to Implement Kerberos Authentication?
If you don't use Cloudera Manager to implement Hadoop security, you must manually create and deploy the Kerberos principals and keytabs on every host in your cluster. If you have a large number of hosts, this can be a time-consuming and error-prone process. After creating and deploying the keytabs, you must also manually configure properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster to enable and configure Hadoop security in HDFS and MapReduce. You must also manually configure properties in the oozie-site.xml and hue.ini files on certain cluster hosts in order to enable and configure Hadoop security in Oozie and Hue.
Cloudera Manager enables you to automate all of those manual tasks. Cloudera Manager can automatically create and deploy a keytab file for the hdfs user and a keytab file for the mapred user on every host in your cluster, as well as keytab files for the oozie and hue users on select hosts. The hdfs keytab file contains entries for the hdfs principal and a host principal, and the mapred keytab file contains entries for the mapred principal and a host principal. The host principal will be the same in both keytab files. The oozie keytab file contains entries for the oozie principal and a HTTP principal. The hue keytab file contains an entry for the hue principal. Cloudera Manager can also automatically configure the appropriate properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster, and the appropriate properties in oozie-site.xml and hue.ini for select hosts. Lastly, Cloudera Manager can automatically start up the NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles once all the appropriate configuration changes have been made.
Ways to Configure Kerberos Authentication Using Cloudera Manager
- Cloudera Manager 5.1 introduced a new wizard to automate the
procedure to set up Kerberos on a cluster. Using the KDC information you enter, the
wizard will create new principals and keytab files for your CDH services. The wizard can
be used to deploy the krb5.conf file
cluster-wide, and automate other manual tasks such as stopping all services, deploying
client configuration and restarting all services on the cluster.
If you want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Using the Wizard.
- If you do not want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Without the Wizard.
- Cloudera Manager User Accounts
- Configuring External Authentication for Cloudera Manager
- Kerberos Principals and Keytabs
- Enabling Kerberos Authentication Using the Wizard
- Viewing and Regenerating Kerberos Principals
- Mapping Kerberos Principals to Short Names
- Enabling Kerberos Authentication Without the Wizard