Step 9: Enable Hadoop Security

To enable Hadoop security for the cluster, you enable it on an HDFS service. After you do so, the Cloudera Manager Server automatically enables Hadoop security on the MapReduce and HBase services associated with that HDFS service.

To enable Hadoop security:

  1. Navigate to the HDFS Service > Configuration tab and click View and Edit.
  2. In the Search field, type Hadoop Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
  3. Click the value for the Hadoop Secure Authentication property and select the kerberos option to enable Hadoop security on the selected HDFS service.
  4. Click the value for the Hadoop Secure Authorization property and select the checkbox to enable Kerberos authorization on the selected HDFS service.
  5. In the Search field, type DataNode Transceiver to find the DataNode Transceiver Port property.
  6. Click the value for the DataNode Transceiver Port property and specify a privileged port number (below 1024). Cloudera recommends 1004.
      Note: If there is more than one DataNode Role Group, you must specify a privileged port number for each DataNode Transceiver Port property.
  7. In the Search field, type DataNode HTTP to find the DataNode HTTP Web UI Port property and specify a privileged port number (below 1024). Cloudera recommends 1006.
      Note:

    These port numbers for the two DataNode properties must be below 1024 in order to provide part of the security mechanism to make it impossible for a user to run a MapReduce task that impersonates a DataNode. The port numbers for the NameNode and Secondary NameNode can be anything you want, but the default port numbers are good ones to use.

  8. In the Search field type Data Directory Permissions to find the DataNode Data Directory Permissions property.
  9. Reset the value for the DataNode Data Directory Permissions property to the default value of 700 if not already set to that.
  10. Make sure you have changed the DataNode Transceiver Port, DataNode Data Directory Permissions and DataNode HTTP Web UI Port properties for every DataNode role group.
  11. Click Save Changes to save the configuration settings.

(CDH3 only) To enable Oozie security:

  1. Navigate to the Oozie Service > Configuration tab and click View and Edit.
  2. Click the value for the Enable Kerberos Authentication property and select the checkbox to enable Kerberos authentication on the selected Oozie service.
  3. Click Save Changes to save the configuration settings.

(CDH4 only) To enable Zookeeper security:

  1. Navigate to the Zookeeper Service > Configuration tab and click View and Edit.
  2. Click the value for Enable Kerberos Authentication property and select the checkbox to enable Kerberos authentication on the selected Zookeeper service.
  3. Click Save Changes to save the configuration settings.

(CDH4 only) To enable HBase security:

  1. Navigate to the HBase Service > Configuration tab and click View and Edit.
  2. In the Search field, type HBase Secure to show the Hadoop security properties (found under the Service-Wide > Security category).
  3. Click the value for the HBase Secure Authorization property and select the checkbox to enable authorization on the selected HBase service.
  4. Click the value for the HBase Secure Authentication property and select kerberos to enable authorization on the selected HBase service.
  5. Click Save Changes to save the configuration settings.
(CDH4.3 or later) To enable Solr security:
  1. Navigate to the Solr Service > Configuration tab and click View and Edit.
  2. In the Search field, type Solr Secure to show the Solr security properties (found under the Service-Wide > Security category).
  3. Click the value for the Solr Secure Authentication property and select kerberos to enable authorization on the selected Solr service.
  4. Click Save Changes to save the configuration settings.
  Note:

If you use the Cloudera Manager Admin Console to generate a client configuration file after you enable Hadoop security on your cluster, the generated configuration file will not contain the Kerberos principal and keytab file that end users need to authenticate. Users must obtain Kerberos principal and keytab file from your Kerberos administrator and then run the kinit command themselves.