Enabling Replication Between Clusters in Different Kerberos Realms
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
To enable replication between clusters that reside in different Kerberos realms, additional setup steps are required to ensure that the source and destination clusters can communicate.
Note: If either the source or destination cluster is running Cloudera Manager 4.6 or higher, then
both clusters (source and destination) must be running 4.6 or higher. For example, cross-realm authentication does not work if one cluster is running Cloudera Manager 4.5.x and one is running
Cloudera Manager 4.6 or higher.
For HDFS replication:
- On the hosts in the destination cluster, ensure that the krb5.conf file (typically located at /etc/ker5.conf) on each host has the following information:
- The kdc information for the source cluster's Kerberos realm. For example:
[realms] SOURCE.MYCO.COM = { kdc = src-kdc-1.src.myco.com:88 admin_server = src-kdc-1.src.myco.com:749 default_domain = src.myco.com } DEST.MYCO.COM = { kdc = dest-kdc-1.dest.myco.com:88 admin_server = dest-kdc-1.dest.myco.com:749 default_domain = dest.myco.com }
- Domain/host-to-realm mapping for the source cluster NameNode hosts. You configure these mappings in the [domain_realm] section. For
example, to map two realms named SRC.MYCO.COM and DEST.MYCO.COM, to the domains of hosts named hostname.src.myco.com and hostname.dest.myco.com, make the following mappings in the krb5.conf file:
[domain_realm] .src.myco.com = SRC.MYCO.COM src.myco.com = SRC.MYCO.COM .dest.myco.com = DEST.MYCO.COM dest.myco.com = DEST.MYCO.COM
- The kdc information for the source cluster's Kerberos realm. For example:
- On the destination cluster, use Cloudera Manager to add the realm of the source cluster to the Trusted Kerberos Realms configuration
property:
- Go to the HDFS service.
- Click the Configuration tab.
- In the search field type "Trusted Kerberos" to find the Trusted Kerberos Realms property.
- Enter the source cluster realm.
- Click Save Changes to commit the changes.
- If your Cloudera Manager release is 5.0.1 or lower, restart the JobTracker to enable it to pick up the new Trusted Kerberos Realm settings. Failure to restart the JobTracker prior to the first replication attempt may cause the JobTracker to fail.
For Hive replication:
- Perform the procedure described in the previous section, including restarting the JobTracker.
- On the hosts in the source cluster, ensure that the krb5.conf file on each host has the following information:
- The kdc information for the destination cluster's Kerberos realm.
- Domain/host-to-realm mapping for the destination cluster NameNode hosts.
- On the source cluster, use Cloudera Manager to add the realm of the destination cluster to the Trusted Kerberos Realms configuration
property.
- Go to the HDFS service.
- Click the Configuration tab.
- In the search field type "Trusted Kerberos" to find the Trusted Kerberos Realms property.
- Enter the destination cluster realm.
- Click Save Changes to commit the changes.
It is not necessary to restart any services on the source cluster.
Page generated July 8, 2016.
<< Using Snapshots with Replication | ©2016 Cloudera, Inc. All rights reserved | Replication of Encrypted Data >> |
Terms and Conditions Privacy Policy |