Viewing and Regenerating Kerberos Principals
As soon as you enable Hadoop secure authentication for HDFS and MapReduce service instances, Cloudera Manager starts creating the Kerberos principals for each of the role instances. The amount of time this process will take depends on the number of hosts and HDFS and MapReduce role instances on your cluster. The process can take from a few seconds for a small cluster to several minutes for a larger cluster. After the process is completed, you can use the Cloudera Manager Admin Console to view the list of Kerberos principals that Cloudera Manager has created for the cluster. Make sure there are principals for each of the hosts and HDFS and MapReduce role instances on your cluster. If there are no principals after 10 minutes, then there is most likely a problem with the principal creation. See the Troubleshooting Authentication Issues section below for more information. If necessary, you can use Cloudera Manager to regenerate the principals.
- Regenerate principals using the following steps in the Cloudera Manager Admin Console and not directly using kadmin shell.
- Do not regenerate the principals for your cluster unless you have made a global configuration change. Before regenerating, be sure to read Configuring a Cluster-dedicated MIT KDC and Default Domain for a Cluster to avoid making your existing host keytabs invalid.
- If you are using Active Directory, delete the AD accounts with the userPrincipalName (or login names) that you want to manually regenerate before continuing with the steps below.
To view and regenerate the Kerberos principals for your cluster:
- Select .
- The currently configured Kerberos principals are displayed. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
- Only if necessary, select the principals you want to regenerate.
- Click Regenerate.
The Security Inspector
- Select .
- Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
- After the inspection completes, click Download Result Data or Show Inspector Results to review the results.
|<< Enabling Kerberos Authentication for Single User Mode or Non-Default Users||Mapping Kerberos Principals to Short Names >>|