DevOps | Cloud | Analytics | Open Source | Programming





How To Enable Kerberos in Cloudera Hadoop Cluster ?


In this post , I will explain How To Enable Kerberos in Cloudera Hadoop Cluster .

As an introduction, I would advice going through my earlier post -How To Install & Configure Kerberos Server & Client in Linux ? That post explained how to setup and configure Kerberos in a Cluster.

Assumptions:

It is assumed following things are set up and running

  • Cloudera CDH
  • Cloudera Manager and
  • Kerberos Server and Client is installed in the Cluster ( Read this post how to do it)

Goal :

Our Goal is to Enable Security on the Cloudera Hadoop Cluster by enabling Kerberos Authentication.  

Prerequisites - Java Cryptography Extension(JCE)

  • Java Crypography Extension (JCE) Unlimited Policy File must be installed in all machines within the cluster. Install based on Java version. Check Java version using -


$ java -version
  • Download the JCE file from Oracle website -
          https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  • Once you download the JCE file, untar it to the Java runtime security folder


$ unzip -o -j -q Downloads/**jce\_policy-8.zip** -d **/usr/java/jdk1.8.0\_121/jre/lib/security/**
  • Restart the Cloudera Server


$ sudo service cloudera-scm-server restart
  Now lets start the Kerberos enablement for the Cloudera Hadoop Cluster.

Step 1 - Cloudera Manager :

 

Step 2 - Enable Kerberos :

Step 3 - Select All Options

 

Step 4 - Fill in The Configuration Details

We need to input KDC Server ip or hostname , Kerberos Realm name &  the encryption type in this step. Please go through my earlier post to understand how to create & configure these values. The post link is - How To Install & Configure Kerberos Server & Client in Linux ? I will use the same details created in the above post



KDC Server Host: <KDC\_Server\_ip>
Kerberos Security Realm: TESTREALM.LOCAL   
Kerberos Encryption Types: aes256-cts-hmac-sha1-96
 

Step 6 - krb5 Configuration:

Here we set up the configuration file - krb5.conf.

You can choose and change various parameters related to Kerberos & Tickets                    

Step 7 - Use KDC Admin Credentials:

Use KDC Admin Credentials. These must have been created . If you don't know how to create a KDC Admin credentials , please refer my earlier post - How To Install & Configure Kerberos Server & Client in Linux ?

After you fill in the Admin details correctly , the next screen shows you that wizard was able to authenticate the Admin details successfully.

Step 8 - Select "Ready To Restart" Option:

 

Step 9 - Verify the Installation:

Lets verify now if all Kerberos services are working or not .

  • Login to any Kerberos Root Server
 

  • Check if Kerberos services are running.


$ service krb5kdc status

$ service kadmin status
We will try to create a new Principle.

  • Run below -


$ kadmin.local
  • Create a new user\Principle . In kadmin.local prompt use –


kadmin.local: addprinc [email protected]
  • Check if Principle is created . It should list testuser1 Principle.


kadmin.local : listprincs
Hope you find this post helpful.  

Additional Posts You Can Read -