Enabling Kerberos Authentication Without the Wizard

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Note that certain steps in the following procedure to configure Kerberos security may not be completed without Full Administrator role privileges.

  • Prerequisites - These instructions assume you know how to install and configure Kerberos, you already have a working Kerberos key distribution center (KDC) and realm setup, and that you've installed the following Kerberos client packages on all cluster hosts and hosts that will be used to access the cluster, depending on the OS in use.
    OS Packages Required
    RHEL 7 Compatible, RHEL 6 Compatible, RHEL 5 Compatible
    • openldap-clients on the Cloudera Manager Server host
    • krb5-workstation, krb5-libs on ALL hosts
    SLES
    • openldap2-client on the Cloudera Manager Server host
    • krb5-client on ALL hosts
    Ubuntu or Debian
    • ldap-utils on the Cloudera Manager Server host
    • krb5-user on ALL hosts
    Windows
    • krb5-workstation, krb5-libs on ALL hosts
    Furthermore, Oozie and Hue require that the realm support renewable tickets. Cloudera Manager supports setting up kerberized clusters with MIT KDC and Active Directory.

    For more information about using an Active Directory KDC, refer the section on Direct to Active Directory and the Microsoft AD documentation.

    For more information about installing and configuring MIT KDC, see:
  • Cloudera supports the Kerberos version that ships with each supported operating system listed in CDH and Cloudera Manager Supported Operating Systems.