This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.
Enabling Kerberos Authentication Using the Wizard
Minimum Required Role: Cluster Administrator (also provided by Full Administrator)
Important: Ensure you
have secured communication between the Cloudera Manager Server and Agents before you enable Kerberos on your cluster. Kerberos keytabs are sent from the Cloudera Manager Server to the Agents, and
must be encrypted to prevent potential misuse of leaked keytabs. For secure communication, you should have at least Level 1 TLS enabled as described in Configuring TLS Security for Cloudera Manager (Level 1).This guide describes how to use Cloudera Manager and the Kerberos wizard (introduced in Cloudera Manager 5.1.0) to automate many of the manual tasks of implementing Kerberos security
on your CDH cluster.
- Prerequisites - These instructions assume you know how to install and configure Kerberos,
you already have a working Kerberos key distribution center (KDC) and realm setup, and that you've installed the following Kerberos client packages on all cluster hosts and hosts that will be used to
access the cluster, depending on the OS in use.
Furthermore, Oozie and Hue require that the realm support renewable tickets. Cloudera Manager supports setting up kerberized clusters with MIT KDC and Active Directory.
OS Packages to be Installed RHEL/CentOS 5, RHEL/CentOS 6 - openldap-clients on the Cloudera Manager Server host
- krb5-workstation, krb5-libs on ALL hosts
SLES - openldap2-client on the Cloudera Manager Server host
- krb5-client on ALL hosts
Ubuntu or Debian - ldap-utils on the Cloudera Manager Server host
- krb5-user on ALL hosts
Windows - krb5-workstation, krb5-libs on ALL hosts
Important: If you want to integrate Kerberos directly with Active Directory, ensure
you have support from your AD administration team to do so. This includes any future support required to troubleshoot issues such as Kerberos TGT/TGS ticket renewal, access to KDC logs for debugging
and so on.For more information about using an Active Directory KDC, refer the section below on Considerations when using an Active Directory KDC and the Microsoft AD documentation.
For more information about installing and configuring MIT KDC, see: - Support
- Kerberos security in Cloudera Manager has been tested on the following version of MIT Kerberos 5:
- krb5-1.6.1 on Red Hat Enterprise Linux 5 and CentOS 5
- Kerberos security in Cloudera Manager is supported on the following versions of MIT Kerberos 5:
- krb5-1.6.3 on SLES 11 Service Pack 1
- krb5-1.8.1 on Ubuntu
- krb5-1.8.2 on Red Hat Enterprise Linux 6 and CentOS 6
- krb5-1.9 on Red Hat Enterprise Linux 6.1
- Kerberos security in Cloudera Manager has been tested on the following version of MIT Kerberos 5:
Continue reading:
- Step 1: Install Cloudera Manager and CDH
- Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
- Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
- Step 4: Enabling Kerberos Using the Wizard
- Step 5: Create the HDFS Superuser
- Step 6: Get or Create a Kerberos Principal for Each User Account
- Step 7: Prepare the Cluster for Each User
- Step 8: Verify that Kerberos Security is Working
- Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
Page generated July 8, 2016.
| << Kerberos Concepts - Principals, Keytabs and Delegation Tokens | ©2016 Cloudera, Inc. All rights reserved | Step 1: Install Cloudera Manager and CDH >> |
| Terms and Conditions Privacy Policy |