Llama Authentication
This section describes how to configure Llama in CDH 5 with Kerberos security in a Hadoop cluster.
Configuring Llama to Support Kerberos Security
- Create a Llama service user principal using the syntax: llama/fully.qualified.domain.name@YOUR-REALM. This principal is used to authenticate with the Hadoop cluster, where fully.qualified.domain.name is the host where Llama
is running and YOUR-REALM is the name of your Kerberos realm:
$ kadmin kadmin: addprinc -randkey llama/fully.qualified.domain.name@YOUR-REALM
- Create a keytab file with the Llama principal:
$ kadmin kadmin: xst -k llama.keytab llama/fully.qualified.domain.name
- Test that the credentials in the keytab file work. For example:
$ klist -e -k -t llama.keytab
- Copy the llama.keytab file to the Llama configuration directory. The owner of the llama.keytab file should be the llama user and the file should have owner-only read permissions.
- Edit the Llama llama-site.xml configuration file in the Llama configuration directory by setting the following properties:
Property Value llama.am.server.thrift.security true llama.am.server.thrift.kerberos.keytab.file llama/conf.keytab llama.am.server.thrift.kerberos.server.principal.name llama/fully.qualified.domain.name llama.am.server.thrift.kerberos.notification.principal.name impala - Restart Llama to make the configuration changes take effect.