Configuring Authentication in Cloudera Manager

Cloudera clusters can be configured to use Kerberos for authentication by following a manual configuration process or by using the configuration wizard available from the Cloudera Manager Admin Console. Cloudera recommends using the wizard because it automates many of the configuration and deployment tasks. In addition, enabling Kerberos the cluster using the wizard also enables Kerberos authentication for all CDH components set up on the cluster, so you do not need to enable authentication for CDH as detailed in the Configuring Authentication in CDH Using the Command Line section.

Cloudera Manager Kerberos Wizard Overview

The Cloudera Manager Kerberos wizard starts by verifying various details of the Kerberos instance that will be used for the cluster. Before using the wizard, be sure to gather all the details about the Kerberos service or engage the Kerberos administrator's help during this process. The details of the Kerberos instance are many and you will need to enter them in the wizard's pages.

The wizard requires a working KDC, either an MIT KDC or an Active Directory KDC. For configuration ease, the KDC should be set up and working prior to starting the wizard. Administrator-level privileges to the Kerberos instance are required to complete the prompts of the wizard, so obtain help from the Kerberos administrator if you do not have privileges.

Given the information provided to the wizard entry screens, the configuration wizard does the following:
  • Configures the necessary properties in all configuration files—core-site.xml, hdfs-site.xml, mapred-site.xml, and taskcontroller.cfg—to identify Kerberos as the authentication mechanism for the cluster
  • Configures the necessary properties in the oozie-site.xml and hue.ini files for Oozie and Hue for Kerberos authentication
  • Creates principal and keytab files for core system users, such as hdfs and mapred, and for CDH services
  • Distributes the principal and keytab files to each host in the cluster
  • Creates keytab files for oozie and hue users and deploys to the appropriate hosts that support these client-focused services
  • Distributes a configured krb5.conf to all nodes in the cluster
  • Stops all services
  • Deploys client configurations
  • Restarts all services throughout the cluster
  • Creates keytab files for core system users, such as hdfs and mapred
Keytab file for... Principals
hdfs hdfs, host
mapred mapred, host
oozie oozie, HTTP
hue hue

The host principal is the same in both hdfs and mapred keytab files.

After making the configuration changes and deploying the principals, keytabs, and configuration files to the appropriate nodes in the cluster, Cloudera Manager starts all NameNode, DataNode, Secondary NameNode, JobTracker, TaskTracker, Oozie Server, and Hue roles to stand up the cluster.