Configuring Authentication in Cloudera Manager
Before You Begin
When you configure authentication and authorization on a cluster, Cloudera Manager Server sends sensitive information over the network to cluster hosts, such as Kerberos keytabs and configuration files that contain passwords. To secure this transfer, you must configure TLS encryption between Cloudera Manager Server and all cluster hosts. For instruction on enabling TLS encryption for Cloudera Manager, see How to Configure TLS Encryption for Cloudera Manager.
Why Use Cloudera Manager to Implement Kerberos Authentication?
If you do not use Cloudera Manager to implement Hadoop security, you must manually create and deploy the Kerberos principals and keytabs on every host in your cluster. If you have a large number of hosts, this can be a time-consuming and error-prone process. After creating and deploying the keytabs, you must also manually configure properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster to enable and configure Hadoop security in HDFS and MapReduce. You must also manually configure properties in the oozie-site.xml and hue.ini files on certain cluster hosts to enable and configure Hadoop security in Oozie and Hue.
Cloudera Manager enables you to automate all of those manual tasks. Cloudera Manager can automatically create and deploy a keytab file for the hdfs user and a keytab file for the mapred user on every host in your cluster, as well as keytab files for the oozie and hue users on select hosts. The hdfs keytab file contains entries for the hdfs principal and a host principal, and the mapred keytab file contains entries for the mapred principal and a host principal. The host principal will be the same in both keytab files. The oozie keytab file contains entries for the oozie principal and a HTTP principal. The hue keytab file contains an entry for the hue principal. Cloudera Manager can also automatically configure the appropriate properties in the core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg files on every host in the cluster, and the appropriate properties in oozie-site.xml and hue.ini for select hosts. Lastly, Cloudera Manager can automatically start up the NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles once all the appropriate configuration changes have been made.
Ways to Configure Kerberos Authentication Using Cloudera Manager
- Cloudera Manager 5.1 introduced a new wizard to automate the procedure to set up Kerberos on a cluster. Using the KDC information you enter, the wizard will create new principals and
keytab files for your CDH services. The wizard can be used to deploy the krb5.conf file cluster-wide, and automate other manual tasks such as stopping all services,
deploying client configuration and restarting all services on the cluster.
If you want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Using the Wizard.
- If you do not want to use the Kerberos wizard, follow the instructions at Enabling Kerberos Authentication Without the Wizard.
- Cloudera Manager User Accounts
- Configuring External Authentication for Cloudera Manager
- Kerberos Concepts - Principals, Keytabs and Delegation Tokens
- Enabling Kerberos Authentication Using the Wizard
- Enabling Kerberos Authentication for Single User Mode or Non-Default Users
- Configuring a Cluster with Custom Kerberos Principals
- Managing Kerberos Credentials Using Cloudera Manager
- Using a Custom Kerberos Keytab Retrieval Script
- Mapping Kerberos Principals to Short Names
- Moving Kerberos Principals to Another OU Within Active Directory
- Using Auth-to-Local Rules to Isolate Cluster Users
- Enabling Kerberos Authentication Without the Wizard