Cloudera Enterprise 6.3.x | Other versions

Step 4: Enabling Kerberos Using the Wizard

Minimum Required Role: Full Administrator

To start the Kerberos wizard:
  1. Go to the Cloudera Manager Admin Console and click to the right of the cluster for which you want to enable Kerberos authentication.
  2. Select Enable Kerberos.

The steps below instructions will guide you through the wizard to secure your cluster.

  1. Getting Started
  2. Setup KDC
  3. Manage krb5.conf
  4. Setup KDC Account
  5. Configure Kerberos
  6. Summary

Getting Started

The first page lists steps you should have completed before starting the wizard.
  • Set up a working KDC. Cloudera Manager supports authentication with MIT KDC, Active Directory, and Red Hat Identity Management/FreeIPA.
  • Configure the KDC to allow renewable tickets with non-zero ticket lifetimes.

    Active Directory allows renewable tickets with non-zero lifetimes by default. You can verify this by checking Domain Security Settings > Account Policies > Kerberos Policy in Active Directory.

    For MIT KDC, make sure you have the following lines in the kdc.conf. 
    max_life = 1d  
max_renewable_life = 7d
  • If you are using Active Directory, make sure LDAP over TLS/SSL (LDAPS) is enabled for the Domain Controllers.
  • Hostnames must be in lowercase. If you use uppercase letters in any hostname, the cluster services will not start after enabling Kerberos.
  • Install the OS-specific packages for your cluster listed in the table:
    OS Packages Required
    RHEL 7 Compatible, RHEL 6 Compatible
    • openldap-clients on the Cloudera Manager Server host
    • krb5-workstation, krb5-libs on ALL hosts
    • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts
    SLES
    • openldap2-client on the Cloudera Manager Server host
    • krb5-client on ALL hosts
    • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts
    Ubuntu
    • ldap-utils on the Cloudera Manager Server host
    • krb5-user on ALL hosts
    • (Red Hat IdM/FreeIPA only) freeipa-client on all cluster hosts
    Windows
    • krb5-workstation, krb5-libs on ALL hosts
  • Create an account for Cloudera Manager that has the permissions to create other accounts in the KDC. This should have been completed as part of Step 3: Create the Kerberos Principal for Cloudera Manager Server.
  Important:

If YARN Resource Manager HA has been enabled in a non-secure cluster, before enabling Kerberos you must clear the StateStore znode in ZooKeeper, as follows:

  1. Go to the Cloudera Manager Admin Console home page, click to the right of the YARN service and select Stop.
  2. When you see a Finished status, the service has stopped.
  3. Go to the YARN service and select Actions > Format State Store.
  4. When the command completes, click Close.

Once you are able to check all the items on this list, click Continue.

Setup KDC

On this page, select the KDC type you are using: MIT KDC, Active Directory, or Red Hat IPA. Complete the fields as applicable to enable Cloudera Manager to generate principals/accounts for the CDH services running on the cluster.
  Note:
  • If you are using AD and have multiple Domain Controllers behind a Load Balancer, enter the name of the Load Balancer in the KDC Server Host field and any one of the Domain Controllers in Active Directory Domain Controller Override. Hadoop daemons will use the Load Balancer for authentication, but Cloudera Manager will use the override for creating accounts.
  • If you have multiple Domain Controllers (in case of AD) or MIT KDC servers, only enter the name of any one of them in the KDC Server Host field. Cloudera Manager will use that server only for creating accounts. If you choose to use Cloudera Manager to manage krb5.conf, you can specify the rest of the Domain Controllers using Safety Valve as explained below.
  • Make sure the entries for the Kerberos Encryption Types field matches what your KDC supports.
  • If you are using an Active Directory KDC, you can configure Active Directory account properties such as objectClass and accountExpires directly from the Cloudera Manager UI. You can also enable Cloudera Manager to delete existing AD accounts so that new ones can be created when Kerberos credentials are being regenerated. See Viewing or Regenerating Kerberos Credentials Using Cloudera Manager.

Click Continue to proceed.

Manage krb5.conf

  Note:

If you are using Red Hat IdM/FreeIPA, by default the krb5.conf file contains a line similar to the following:

default_ccache_name = KEYRING:persistent:%{uid}

CDH does not support the keyring credential cache. Comment out this line on every cluster host by adding a hash mark (#) at the beginning, like this:

#default_ccache_name = KEYRING:persistent:%{uid}

If you configure Cloudera Manager to manage the krb5.conf file, you do not need to do anything.

Choose whether Cloudera Manager should deploy and manage the krb5.conf on your cluster or not. If left unchecked, you must ensure that the krb5.conf is deployed on all hosts in the cluster, including the Cloudera Manager Server's host.

If you check Manage krb5.conf through Cloudera Manager, this page will let you configure the properties that will be emitted in it. In particular, the safety valves on this page can be used to configure cross-realm authentication. More information can be found at Configuring a Dedicated MIT KDC for Cross-Realm Trust.

Click Continue to proceed.

Setup KDC Account

  Note: Enter the REALM portion of the principal in upper-case only to conform to Kerberos convention.
  Note:

Many enterprises employ policies that require all passwords to be changed after a particular number of days. If you must change the password in Cloudera Manager for the Account Manager, then:

  1. In the Cloudera Manager Admin Console, select Administration > Security.
  2. Go to the Kerberos Credentials tab and click Import Kerberos Account Manager Credentials.
  3. In the Import Kerberos Account Manager Credentials dialog box, enter the username and password for the user that can create principals for CDH cluster in the KDC.

Enter the username and password for the user that can create principals for CDH cluster in the KDC. This is the user/principal you created in Step 3: Create the Kerberos Principal for Cloudera Manager Server. Cloudera Manager encrypts the username and password into a keytab and uses it as needed to create new principals.

If you are using Red Hat IdM/FreeIPA, enter the IPA admin credentials here. These admin credentials are not stored, and are used only to create a new user and role (named cmadin-<random_id> and cmadminrole, respectively) and retrieve its keytab. Cloudera Manager stores this keytab for future Kerberos operations, such as regenerating the credentials of the CDH service accounts.

Click Continue to proceed.

The Command Details page displays the outcome of the Import KDC Account Manager Credentials command. After it successfully completes, click Continue.

Configure Kerberos

If you have not already done so, run the provided commands on each cluster host to install the Kerberos libraries.

Then, specify the privileged ports needed by the DataNode Transceiver Protocol and the HTTP Web UI in a secure cluster.

You can configure custom service principals for CDH services. Before you begin making configuration changes, see Customizing Kerberos Principals for some additional configuration changes required and limitations. If you want to use custom service principals, uncheck the box labeled Use Default Kerberos Principals, and then specify a custom principal for each service.

Click Continue to proceed.

The Command Details page displays the outcome of the Enable Kerberos command. After it successfully completes, click Continue.

Summary

The final page lists the cluster(s) for which Kerberos has been successfully enabled. Click Finish to return to the Cloudera Manager Admin Console home page.

Page generated August 29, 2019.