Configuring Authentication in Cloudera Manager
- Creating kerberos principals and keytabs and deploying to each host in the cluster.
- Configuring properties in all configuration files—core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg—across all hosts in the cluster.
- Configuring properties in the oozie-site.xml and hue.ini files to use Kerberos authentication for Oozie and Hue.
Cloudera Manager Kerberos Wizard Overview
Using the details about the Kerberos Key Distribution Center (KDC) that you provide, the Cloudera Manager wizard creates new principal and keytab files for CDH services and distributes them to the hosts in the cluster. The wizard also distributes the configured krb5.conf file to all nodes in the cluster, stops all services, deploys the client configurations, and restarts all services on the cluster.
The Cloudera Manager wizard also creates keytab files for hdfs user and mapred user and deploys them to all hosts in the cluster. The wizard also creates keytab files for oozie and hue users and deploys to appropriate hosts.
|Keytab file for...||Principals|
The host principal is the same in both hdfs and mapred keytab files.
After making the configuration changes and deploying to the appropriate nodes in the cluster, Cloudera Manager starts all NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles to stand up the cluster.
To use the Cloudera Manager wizard, see Enabling Kerberos Authentication Using the Wizard.
- For command-line configuration, see Enabling Kerberos Authentication Without the Wizard.
- Cloudera Manager User Accounts
- Configuring External Authentication for Cloudera Manager
- Kerberos Concepts - Principals, Keytabs and Delegation Tokens
- Enabling Kerberos Authentication Using the Wizard
- Enabling Kerberos Authentication for Single User Mode or Non-Default Users
- Configuring a Cluster with Custom Kerberos Principals
- Managing Kerberos Credentials Using Cloudera Manager
- Using a Custom Kerberos Keytab Retrieval Script
- Mapping Kerberos Principals to Short Names
- Moving Kerberos Principals to Another OU Within Active Directory
- Using Auth-to-Local Rules to Isolate Cluster Users
- Enabling Kerberos Authentication Without the Wizard