This is the documentation for Cloudera 5.5.x. Documentation for other versions is available at Cloudera Documentation.

Step 4: Enabling Kerberos Using the Wizard

Required Role:

To start the Kerberos wizard:
  1. Navigate to the Cloudera Manager Admin Console and click to the right of the cluster for which you want to enable Kerberos authentication.
  2. Select Enable Kerberos.

The following instructions will guide you through the wizard to secure your cluster.

  1. Before you Begin Using the Wizard
  2. KDC Information
  3. KRB5 Configuration
  4. Import KDC Account Manager Credentials
  5. (Optional) Configuring Custom Kerberos Principals
  6. Configure HDFS DataNode Ports
  7. Enabling Kerberos
  8. Congratulations

Before you Begin Using the Wizard

The Welcome page lists the following action items that you should complete before you begin to secure the cluster using this wizard:
  • Set up a working KDC. Cloudera Manager supports authentication with MIT KDC and Active Directory.
  • Configure the KDC to allow renewable tickets with non-zero ticket lifetimes.

    Active Directory allows renewable tickets with non-zero lifetimes by default. You can verify this by checking Domain Security Settings > Account Policies > Kerberos Policy in Active Directory.

    For MIT KDC, make sure you have the following lines in the kdc.conf.
    max_life = 1d  
    max_renewable_life = 7d
    kdc_tcp_ports = 88
  • If you are using Active Directory, make sure LDAP over TLS/SSL (LDAPS) is enabled for the Domain Controllers.
  • Install the following packages on your cluster depending on the OS in use.
    OS Packages to be Installed
    RHEL/CentOS 5, RHEL/CentOS 6
    • openldap-clients on the Cloudera Manager Server host
    • krb5-workstation, krb5-libs on ALL hosts
    • openldap2-client on the Cloudera Manager Server host
    • krb5-client on ALL hosts
    Ubuntu or Debian
    • ldap-utils on the Cloudera Manager Server host
    • krb5-user on ALL hosts
    • krb5-workstation, krb5-libs on ALL hosts
  • Create an account for Cloudera Manager that has the permissions to create other accounts in the KDC. This should have been completed as part of Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server.
If you have enabled YARN Resource Manager HA in your non-secure cluster, you should clear the StateStore znode in ZooKeeper before enabling Kerberos. To do this:
  1. Go to the Cloudera Manager Admin Console home page, click to the right of the YARN service and select Stop.
  2. When you see a Finished status, the service has stopped.
  3. Go to the YARN service and select Actions > Format State Store.
  4. When the command completes, click Close.

Once you are able to check all the items on this list, click Continue.

KDC Information

On this page, select the KDC type you are using, MIT KDC or Active Directory, and complete the fields as applicable to enable Cloudera Manager to generate principals/accounts for the CDH services running on the cluster.
  • If you are using AD and have multiple Domain Controllers behind a Load Balancer, enter the name of the Load Balancer in the KDC Server Host field and any one of the Domain Controllers in Active Directory Domain Controller Override. Hadoop daemons will use the Load Balancer for authentication, but Cloudera Manager will use the override for creating accounts.
  • If you have multiple Domain Controllers (in case of AD) or MIT KDC servers, only enter the name of any one of them in the KDC Server Host field. Cloudera Manager will use that server only for creating accounts. If you choose to use Cloudera Manager to manage krb5.conf, you can specify the rest of the Domain Controllers using Safety Valve as explained below.
  • Make sure the entries for the Kerberos Encryption Types field matches what your KDC supports.

Click Continue to proceed.

KRB5 Configuration

Manage krb5.conf through Cloudera Manager allows you to choose whether Cloudera Manager should deploy the krb5.conf on your cluster or not. If left unchecked, you must ensure that the krb5.conf is deployed on all hosts in the cluster, including the Cloudera Manager Server's host.

If you check Manage krb5.conf through Cloudera Manager, this page will let you configure the properties that will be emitted in it. In particular, the safety valves on this page can be used to configure cross-realm authentication. More information can be found at Configuring a Cluster-dedicated MIT KDC with Cross-Realm Trust.

  Note: Cloudera Manager is unable to use a non-default realm. You must specify the default realm.

Click Continue to proceed.

Import KDC Account Manager Credentials

Enter the username and password for the user that can create principals for CDH cluster in the KDC. This is the user/principal you created in Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server. Cloudera Manager encrypts the username and password into a keytab and uses it as needed to create new principals.

  Note: The username entered should have the realm portion in upper-case only as shown in the example in the UI.

Click Continue to proceed.

(Optional) Configuring Custom Kerberos Principals

Starting with Cloudera Manager 5.4, you can configure custom service principals for CDH services. Before you begin making configuration changes, see Configuring a Cluster with Custom Kerberos Principals for some additional configuration changes required and limitations.

Configure HDFS DataNode Ports

On this page, specify the privileged ports needed by the DataNode's Transceiver Protocol and the HTTP Web UI in a secure cluster.

Use the checkbox to confirm you are ready to restart the cluster. Click Continue.

Enabling Kerberos

This page lets you track the progress made by the wizard as it first stops all services on your cluster, deploys the krb5.conf, generates keytabs for other CDH services, deploys client configuration and finally restarts all services. Click Continue.


The final page lists the cluster(s) for which Kerberos has been successfully enabled. Click Finish to return to the Cloudera Manager Admin Console home page.

Page generated January 14, 2016.