Configuring Authentication in Cloudera Manager

Cloudera clusters can be configured to use Kerberos for authentication using either manual commands, or by using the Cloudera Manager wizard. Introduced in Cloudera Manager 5.1, the wizard streamlines the configuration process by automating many of the configuration and deployment tasks, such as:
  • Creating kerberos principals and keytabs and deploying to each host in the cluster.
  • Configuring properties in all configuration files—core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg—across all hosts in the cluster.
  • Configuring properties in the oozie-site.xml and hue.ini files to use Kerberos authentication for Oozie and Hue.
Even on a small cluster, these tasks are onerous and error-prone, so Cloudera recommends using the wizard.

Cloudera Manager Kerberos Wizard Overview

Using the details about the Kerberos Key Distribution Center (KDC) that you provide, the Cloudera Manager wizard creates new principal and keytab files for CDH services and distributes them to the hosts in the cluster. The wizard also distributes the configured krb5.conf file to all nodes in the cluster, stops all services, deploys the client configurations, and restarts all services on the cluster.

The Cloudera Manager wizard also creates keytab files for hdfs user and mapred user and deploys them to all hosts in the cluster. The wizard also creates keytab files for oozie and hue users and deploys to appropriate hosts.

Keytab file for... Principals
hdfs hdfs, host
mapred mapred, host
oozie oozie, HTTP
hue hue

The host principal is the same in both hdfs and mapred keytab files.

After making the configuration changes and deploying to the appropriate nodes in the cluster, Cloudera Manager starts all NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles to stand up the cluster.