Step 4: Enabling Kerberos Using the Wizard

Required Role:

To start the Kerberos wizard:
  1. Go to the Cloudera Manager Admin Console and click to the right of the cluster for which you want to enable Kerberos authentication.
  2. Select Enable Kerberos.

Before you Begin Using the Wizard

The Welcome page lists the following action items that you should complete before you begin to secure the cluster using this wizard:
  • Set up a working KDC. Cloudera Manager supports authentication with MIT KDC and Active Directory.
  • Configure the KDC to allow renewable tickets with non-zero ticket lifetimes.

    Active Directory allows renewable tickets with non-zero lifetimes by default. You can verify this by checking Domain Security Settings > Account Policies > Kerberos Policy in Active Directory.

    For MIT KDC, make sure you have the following lines in the kdc.conf.
    max_life = 1d  
    max_renewable_life = 7d
    kdc_tcp_ports = 88
  • If you are using Active Directory, make sure LDAP over TLS/SSL (LDAPS) is enabled for the Domain Controllers.
  • Install the following packages on your cluster depending on the OS in use.
    OS Packages to be Installed
    RHEL/CentOS 5, RHEL/CentOS 6
    • openldap-clients on the Cloudera Manager Server host
    • krb5-workstation, krb5-libs on ALL hosts
    SLES
    • openldap2-client on the Cloudera Manager Server host
    • krb5-client on ALL hosts
    Ubuntu or Debian
    • ldap-utils on the Cloudera Manager Server host
    • krb5-user on ALL hosts
    Windows
    • krb5-workstation, krb5-libs on ALL hosts
  • Create an account for Cloudera Manager that has the permissions to create other accounts in the KDC. This should have been completed as part of Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server.

Once you are able to check all the items on this list, click Continue.

KDC Information

On this page, select the KDC type you are using, MIT KDC or Active Directory, and complete the fields as applicable to enable Cloudera Manager to generate principals/accounts for the CDH services running on the cluster.

Click Continue to proceed.

KRB5 Configuration

Manage krb5.conf through Cloudera Manager allows you to choose whether Cloudera Manager should deploy the krb5.conf on your cluster or not. If left unchecked, you must ensure that the krb5.conf is deployed on all hosts in the cluster, including the Cloudera Manager Server's host.

If you check Manage krb5.conf through Cloudera Manager, this page will let you configure the properties that will be emitted in it. In particular, the safety valves on this page can be used to configure cross-realm authentication. More information can be found at Configuring a Cluster-dedicated MIT KDC with Cross-Realm Trust.

Click Continue to proceed.

Import KDC Account Manager Credentials

Enter the username and password for the user that can create principals for CDH cluster in the KDC. This is the user/principal you created in Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server. Cloudera Manager encrypts the username and password into a keytab and uses it as needed to create new principals.

Click Continue to proceed.

(Optional) Configuring Custom Kerberos Principals

Starting with Cloudera Manager 5.4, you can configure custom service principals for CDH services. Before you begin making configuration changes, see Configuring a Cluster with Custom Kerberos Principals for some additional configuration changes required and limitations.

Configure HDFS DataNode Ports

On this page, specify the privileged ports needed by the DataNode's Transceiver Protocol and the HTTP Web UI in a secure cluster.

Use the checkbox to confirm you are ready to restart the cluster. Click Continue.

Enabling Kerberos

This page lets you track the progress made by the wizard as it first stops all services on your cluster, deploys the krb5.conf, generates keytabs for other CDH services, deploys client configuration and finally restarts all services. Click Continue.

Congratulations

The final page lists the cluster(s) for which Kerberos has been successfully enabled. Click Finish to return to the Cloudera Manager Admin Console home page.