Enabling Kerberos Authentication for Hadoop Using the Command Line
Kerberos security in CDH 5 has been tested with the following version of MIT Kerberos 5:
- krb5-1.6.1 on Red Hat Enterprise Linux 5 and CentOS 5
Kerberos security in CDH 5 is supported with the following versions of MIT Kerberos 5:
- krb5-1.6.3 on SUSE Linux Enterprise Server (SLES) 11 Service Pack 1
- krb5-1.8.1 on Ubuntu
- krb5-1.8.2 on Red Hat Enterprise Linux 6 and CentOS 6
- krb5-1.9 on Red Hat Enterprise Linux 6.1
If you want to enable Kerberos SPNEGO-based authentication for the Hadoop web interfaces, see the Hadoop Auth, Java HTTP SPNEGO Documentation.
Here are the general steps to configuring secure Hadoop, each of which is described in more detail in the following sections:
- Step 1: Install CDH 5
- Step 2: Verify User Accounts and Groups in CDH 5 Due to Security
- Step 3: If you are Using AES-256 Encryption, Install the JCE Policy File
- Step 4: Create and Deploy the Kerberos Principals and Keytab Files
- Step 5: Shut Down the Cluster
- Step 6: Enable Hadoop Security
- Step 7: Configure Secure HDFS
- Optional Step 8: Configuring Security for HDFS High Availability
- Optional Step 9: Configure secure WebHDFS
- Optional Step 10: Configuring a secure HDFS NFS Gateway
- Step 11: Set Variables for Secure DataNodes
- Step 12: Start up the NameNode
- Step 12: Start up a DataNode
- Step 14: Set the Sticky Bit on HDFS Directories
- Step 15: Start up the Secondary NameNode (if used)
- Step 16: Configure Either MRv1 Security or YARN Security