This is the documentation for Cloudera 5.2.x.
Documentation for other versions is available at Cloudera Documentation.

Viewing and Regenerating Kerberos Principals

Required Role:

As soon as you enable Hadoop secure authentication for HDFS and MapReduce service instances, Cloudera Manager starts creating the Kerberos principals for each of the role instances. The amount of time this process will take depends on the number of hosts and HDFS and MapReduce role instances on your cluster. The process can take from a few seconds for a small cluster to several minutes for a larger cluster. After the process is completed, you can use the Cloudera Manager Admin Console to view the list of Kerberos principals that Cloudera Manager has created for the cluster. Make sure there are principals for each of the hosts and HDFS and MapReduce role instances on your cluster. If there are no principals after 10 minutes, then there is most likely a problem with the principal creation. See the Troubleshooting Authentication Issues section below for more information. If necessary, you can use Cloudera Manager to regenerate the principals.

If you make a global configuration change in your cluster, such as changing the encryption type, you must use the following instructions to regenerate the principals for your cluster.
  Important:
  • Regenerate principals using the following steps in the Cloudera Manager Admin Console and not directly using kadmin shell.
  • Do not regenerate the principals for your cluster unless you have made a global configuration change. Before regenerating, be sure to read Configuring a Cluster-dedicated MIT KDC and Default Domain for a Cluster to avoid making your existing host keytabs invalid.
  • If you are using Active Directory, delete the AD accounts with the userPrincipalName (or login names) that you want to manually regenerate before continuing with the steps below.

To view and regenerate the Kerberos principals for your cluster:

  1. Select Administration > Kerberos.
  2. The currently configured Kerberos principals are displayed. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
  3. Only if necessary, select the principals you want to regenerate.
  4. Click Regenerate.

The Security Inspector

The Security Inspector uses the Host Inspector to run a security-related set of commands on the hosts in your cluster. It reports on things such as how Java is configured for encryption and on the default realms configured on each host:
  1. Select Administration > Kerberos.
  2. Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
  3. After the inspection completes, click Download Result Data or Show Inspector Results to review the results.