Managing Kerberos Credentials Using Cloudera Manager
Minimum Required Role: Full Administrator
As soon as you enable Hadoop secure authentication for HDFS and MapReduce service instances, Cloudera Manager starts creating the Kerberos principals for each of the role instances. The amount of time this process will take depends on the number of hosts and HDFS and MapReduce role instances on your cluster. The process can take from a few seconds for a small cluster to several minutes for a larger cluster. After the process is completed, you can use the Cloudera Manager Admin Console to view the list of Kerberos principals that Cloudera Manager has created for the cluster. Make sure there are principals for each of the hosts and HDFS and MapReduce role instances on your cluster. If there are no principals after 10 minutes, then there is most likely a problem with the principal creation. See the Troubleshooting Authentication Issues section for more information. If necessary, you can use Cloudera Manager to regenerate the principals.
Managing Active Directory Account Properties
If you are using an Active Directory KDC, Cloudera Manager 5.8 (and higher) will allow you to configure Active Directory accounts and customize the credential regeneration process using the Cloudera Manager Admin Console. You can also use Cloudera Manager to configure the encryption types to be used by your Active Directory account. Once you modify any Active Directory account properties, you must regenerate Kerberos credentials to reflect those changes. The credential regeneration process requires you to delete existing accounts before new ones are created.
By default, Cloudera Manager does not delete accounts in Active Directory. Hence, to regenerate Kerberos principals contained in Active Directory, you need to manually delete the existing Active Directory accounts. You can either delete and regenerate all existing Active Directory accounts, or only delete those with the userPrincipalName (or login name) that you will later manually select for regeneration. If the accounts haven't already been deleted manually, the regeneration process will throw an error message saying that deletion of accounts is required before you proceed.
Modifying Active Directory Account Properties Using Cloudera Manager
- Go to the Cloudera Manager Admin Console and click the Administration tab.
- Select .
- Click the Kerberos category.
- Locate the Active Directory Account Properties and edit as required. By default, the property will be set to:
accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user
- Locate the Active Directory Password Properties and edit the field as needed. By default, the property will be set to:
length=12,minLowerCaseLetters=2,minUpperCaseLetters=2,minDigits=2,minSpaces=0,minSpecialChars=0,specialChars=?.!$%^*()-_+=~
- Click Save Changes to commit the changes.
- Regenerate Kerberos credentials with the new properties.
Enabling Credential Regeneration for Active Directory Accounts Using Cloudera Manager
To avoid having to delete accounts manually, use the following steps to set the Active Directory Delete Accounts on Credential Regeneration property to allow Cloudera Manager to automatically delete existing Active Directory accounts when new ones are created during regeneration. If this property is left unchecked (which is the default), Cloudera Manager will not be able to regenerate credentials automatically.
- Go to the Cloudera Manager Admin Console and click the Administration tab.
- Select .
- Click the Kerberos category.
- Locate the Active Directory Delete Accounts on Credential Regeneration and check this property.
- Click Save Changes to commit the changes.
Configuring Encryption Types for Active Directory KDC Using Cloudera Manager
- rc4-hmac
- aes128-cts
- aes256-cts
- des-cbc-crc
- des-cbc-md5
- Go to the Cloudera Manager Admin Console and click the Administration tab.
- Select .
- Click the Kerberos category.
- Locate the Kerberos Encryption Types and click to add the encryption types you want Active Directory to use. Make sure they are on Cloudera's list of supported enctypes.
- Check the checkbox for the Active Directory Set Encryption Types property. This will automatically set the Cloudera Manager AD account to use the encryption types configured in the previous step.
- Click Save Changes to commit the changes.
Moving Kerberos Principals to Another OU Within Active Directory
- Create the new OU on the Active Directory Server.
- Use AD's Delegate Control wizard to set the permissions on the new OU such that the configured Cloudera Manager admin account has the ability to Create, Delete and Manage User Accounts within this OU.
- Stop the cluster.
- Stop the Cloudera Management Service.
- In Active Directory, move all the Cloudera Manager and CDH components' user accounts to the new OU.
- Go to Cloudera Manager and go to .
- Go to the Kerberos Credentials tab and click Configuration.
- Select .
- Select .
- Locate the Active Directory Suffix property and edit the value to reflect the new OU name.
- Click Save Changes to commit the changes.
Viewing and Regenerating Kerberos Credentials Using Cloudera Manager (MIT and AD)
- Select .
- The currently configured Kerberos principals are displayed under the Kerberos Credentials tab. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
- Only if necessary, select the principals you want to regenerate.
- Click Regenerate.
Running the Security Inspector
- Select .
- Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
- After the inspection completes, click Download Result Data or Show Inspector Results to review the results.