Documentation
  • Products
  • Services & Support
  • Solutions

Cloudera Enterprise 5.15.x | Other versions

Cloudera SecurityAuthenticationConfiguring Authentication for Cloudera NavigatorCloudera Navigator and External Authentication
View All Categories
  • Cloudera Introduction
    • Cloudera Personas
    • CDH Overview
      • Hive Overview
      • Apache Impala Overview
      • Cloudera Search Overview
        • Understanding Cloudera Search
        • Cloudera Search and Other Cloudera Components
        • Cloudera Search Architecture
        • Cloudera Search Tasks and Processes
      • Apache Kudu Overview
      • Apache Sentry Overview
      • Apache Spark Overview
      • External Documentation
    • Cloudera Manager 5 Overview
      • Cloudera Manager Admin Console
        • Cloudera Manager Admin Console Home Page
        • Displaying Cloudera Manager Documentation
        • Automatic Logout
      • Cloudera Manager API
        • Using the Cloudera Manager API for Cluster Automation
      • Extending Cloudera Manager
    • Cloudera Navigator Data Management
      • Getting Started with Cloudera Navigator
      • Cloudera Navigator Frequently Asked Questions
    • Cloudera Navigator Data Encryption
      • Cloudera Navigator Key Trustee Server Overview
      • Cloudera Navigator Key HSM Overview
      • Cloudera Navigator HSM KMS Overview
      • Cloudera Navigator Encrypt Overview
    • Frequently Asked Questions About Cloudera Software
    • Getting Support
  • Cloudera Release Notes
  • Requirements and Supported Versions
  • Cloudera QuickStart VM
  • Cloudera Manager
    • Managing Software Installation Using Cloudera Manager
      • Parcels
    • Cloudera Manager 5 Frequently Asked Questions
  • Installation Guide
    • Before You Install
      • Storage Space Planning for Cloudera Manager
      • Configure Network Names
      • Required Privileges
      • Required Tomcat Directories
      • Ports
        • Cloudera Manager and Navigator
        • Navigator Encryption
        • CDH Components
        • Impala
        • Search
        • DistCp
        • Third-Party Components
        • Flume and Solr
      • Recommended Role Distribution
      • Custom Installation Solutions
        • Using an Internal Parcel Repository
        • Using an Internal Package Repository
        • Manually Install Cloudera Software Packages
        • Installing Cloudera Software Using Tarballs
        • Creating Virtual Images of Cluster Hosts
        • Configuring a Custom Java Home Location
        • Creating a CDH Cluster Using a Cloudera Manager Template
        • Configuring Single User Mode
    • Installing Cloudera Manager and CDH
      • Step 1: Configure a Repository
      • Step 2: Install JDK
      • Step 3: Install Cloudera Manager Server
      • Step 4: Install Databases
        • Install and Configure MariaDB
        • Install and Configure MySQL
        • Install and Configure PostgreSQL
        • Install and Configure Oracle Database
        • Configuring an External Database for Sqoop 2
      • Step 5: Set up the Cloudera Manager Database
      • Step 6: Install CDH and Other Software
      • Step 7: Set Up a Cluster
    • Installing Navigator Data Management
    • Installing Navigator Encryption
      • Installing Cloudera Navigator Key Trustee Server
      • Installing Cloudera Navigator Key HSM
      • Installing Key Trustee KMS
      • Installing Navigator HSM KMS Backed by Thales HSM
      • Installing Navigator HSM KMS Backed by Luna HSM
      • Installing Cloudera Navigator Encrypt
    • After Installation
      • Deploying Clients
      • Testing the Installation
      • Installing the GPL Extras Parcel
      • Migrating from Packages to Parcels
      • Migrating from Parcels to Packages
    • Troubleshooting Installation Problems
    • Uninstalling Cloudera Software
      • Uninstalling a CDH Component From a Single Host
  • Upgrade Guide
  • CLI Installation Guide
    • Before You Install
      • Required Privileges
      • Enable an NTP Service
      • Configuring Network Names
      • Setting SELinux mode
      • Disabling the Firewall
      • Impala Requirements
    • Installing Unmanaged CDH
      • Step 1: Configure a Repository
      • Step 2: Install JDK
      • Step 3: Install Databases
        • Install and Configure MariaDB
        • Install and Configure MySQL
        • Install and Configure PostgreSQL
        • Install and Configure Oracle Database
      • Step 4: Install CDH Packages
      • Step 5: Set Up a CDH Cluster
        • ZooKeeper
        • HDFS
        • MapReduce v2 with YARN
        • MapReduce v1
        • Crunch Installation
        • Flume
        • HBase
        • Hive
        • HCatalog
        • Impala
        • HttpFS
        • Hue
        • Kafka
        • KMS
        • Kudu
        • Mahout
        • Oozie
        • Pig
        • Search
        • Sentry
        • Spark
        • Sqoop
        • Sqoop 2
        • Whirr
      • Step 5: Configure CDH Daemons to Run at Startup
    • Uninstalling CDH Components
    • Viewing the Apache Hadoop Documentation
  • Proof-of-Concept Installation Guide
    • Before You Begin
    • Installing a Proof-of-Concept Cluster
      • Step 1: Run the Cloudera Manager Installer
      • Step 2: Install CDH Using the Wizard
      • Step 3: Set Up a Cluster
    • Managing the Embedded Database
    • Migrating Embedded PostgreSQL Database
  • CLI Upgrade Guide
    • Upgrading Unmanaged CDH Using the Command Line
      • Upgrading from an Earlier CDH 5 Release to the Latest Release
        • Before Upgrading to the Latest Release of CDH
        • Upgrading from CDH 5.4.0 or Higher to the Latest Release
        • Upgrading from a Release Lower than CDH 5.4.0 to the Latest Release
        • Upgrading Unmanaged CDH Components
          • Upgrading Hive
          • Upgrading Impala
          • Upgrading Kudu
          • Upgrading Apache Mahout
          • Upgrading Sqoop 2
          • Upgrading Whirr
      • Migrating from MapReduce (MRv1) to MapReduce (MRv2)
  • Cloudera Administration
    • Managing CDH and Managed Services
      • Managing CDH and Managed Services Using Cloudera Manager
        • Configuration Overview
          • Modifying Configuration Properties Using Cloudera Manager
          • Modifying Configuration Properties (Classic Layout)
          • Autoconfiguration
          • Custom Configuration
          • Stale Configurations
          • Client Configuration Files
          • Viewing and Reverting Configuration Changes
          • Exporting and Importing Cloudera Manager Configuration
        • Managing Clusters
          • Adding and Deleting Clusters
          • Starting, Stopping, Refreshing, and Restarting a Cluster
          • Pausing a Cluster in AWS
          • Renaming a Cluster
          • Cluster-Wide Configuration
          • Moving a Host Between Clusters
        • Managing Services
          • Adding a Service
          • Comparing Configurations for a Service Between Clusters
          • Add-on Services
          • Starting, Stopping, and Restarting Services
          • Rolling Restart
          • Aborting a Pending Command
          • Deleting Services
          • Renaming a Service
          • Configuring Maximum File Descriptors
          • Exposing Hadoop Metrics to Graphite
          • Exposing Hadoop Metrics to Ganglia
        • Managing Roles
          • Role Instances
          • Role Groups
        • Managing Hosts
          • Viewing Host Details
          • Using the Host Inspector
          • Adding a Host to the Cluster
          • Specifying Racks for Hosts
          • Host Templates
          • Performing Maintenance on a Cluster Host
            • Tuning and Troubleshooting Host Decommissioning
            • Maintenance Mode
          • Deleting Hosts
        • Cloudera Manager Configuration Properties
      • Managing Individual Services
        • Managing the HBase Service
        • Managing HDFS
          • NameNodes
            • Backing Up and Restoring HDFS Metadata
            • Moving NameNode Roles
            • Sizing NameNode Heap Memory
            • Backing Up and Restoring NameNode Metadata
          • DataNodes
            • Configuring Storage Directories for DataNodes
            • Configuring Storage Balancing for DataNodes
            • Performing Disk Hot Swap for DataNodes
          • JournalNodes
          • Configuring Short-Circuit Reads
          • Configuring HDFS Trash
          • HDFS Balancers
          • Enabling WebHDFS
          • Adding HttpFS
          • Adding and Configuring an NFS Gateway
          • Setting HDFS Quotas
          • Configuring Mountable HDFS
          • Configuring Centralized Cache Management in HDFS
          • Configuring Proxy Users to Access HDFS
          • Using CDH with Isilon Storage
          • Configuring Heterogeneous Storage in HDFS
        • Managing Hive
        • Managing Hue
          • Adding a Hue Service and Role Instance
          • Managing Hue Analytics Data Collection
          • Enabling Hue Applications Using Cloudera Manager
        • Managing Impala
          • Modifying Impala Startup Options
          • The Impala Service
          • Post-Installation Configuration for Impala
          • Configuring Impala to Work with ODBC
          • Configuring Impala to Work with JDBC
        • Managing Key-Value Store Indexer
        • Managing Kudu
        • Using and Managing Oozie
        • Managing Solr
        • Managing Spark
          • Managing Spark Using Cloudera Manager
          • Managing Spark Standalone Using the Command Line
          • Managing the Spark History Server
        • Managing the Sqoop 1 Client
        • Managing Sqoop 2
        • Managing YARN (MRv2) and MapReduce (MRv1)
          • Managing YARN
          • Managing YARN ACLs
          • Managing MapReduce
          • Migrating from MapReduce (MRv1) to MapReduce (MRv2)
        • Managing ZooKeeper
        • Configuring Services to Use the GPL Extras Parcel
    • Performance Management
      • Optimizing Performance in CDH
      • Choosing and Configuring Data Compression
      • Tuning the Solr Server
      • Tuning Spark Applications
      • Tuning YARN
    • Resource Management
      • Static Service Pools
        • Linux Control Groups (cgroups)
      • Dynamic Resource Pools
      • YARN (MRv2) and MapReduce (MRv1) Schedulers
        • Configuring the Fair Scheduler
        • Enabling and Disabling Fair Scheduler Preemption
      • Resource Management for Impala
        • Admission Control and Query Queuing
        • Managing Impala Admission Control
      • Data Storage for Monitoring Data
      • Cluster Utilization Reports
        • Creating a Custom Cluster Utilization Report
    • High Availability
      • HDFS High Availability
        • Introduction to HDFS High Availability
        • Configuring Hardware for HDFS HA
        • Enabling HDFS HA
        • Disabling and Redeploying HDFS HA
        • Configuring Other CDH Components to Use HDFS HA
        • Administering an HDFS High Availability Cluster
        • Changing a Nameservice Name for Highly Available HDFS Using Cloudera Manager
      • MapReduce (MRv1) and YARN (MRv2) High Availability
        • YARN (MRv2) ResourceManager High Availability
        • Work Preserving Recovery for YARN Components
        • MapReduce (MRv1) JobTracker High Availability
      • Cloudera Navigator Key Trustee Server High Availability
      • Enabling Key Trustee KMS High Availability
      • Enabling Navigator HSM KMS High Availability
      • High Availability for Other CDH Components
        • HBase High Availability
          • HBase Read Replicas
        • Oozie High Availability
        • Search High Availability
      • Configuring Cloudera Manager for High Availability With a Load Balancer
        • Introduction to Cloudera Manager Deployment Architecture
        • Prerequisites for Setting up Cloudera Manager High Availability
        • Cloudera Manager Failover Protection
        • High-Level Steps to Configure Cloudera Manager High Availability
          • Step 1: Setting Up Hosts and the Load Balancer
          • Step 2: Installing and Configuring Cloudera Manager Server for High Availability
          • Step 3: Installing and Configuring Cloudera Management Service for High Availability
          • Step 4: Automating Failover with Corosync and Pacemaker
        • Database High Availability Configuration
        • TLS and Kerberos Configuration for Cloudera Manager High Availability
    • Backup and Disaster Recovery
      • Port Requirements for Backup and Disaster Recovery
      • Data Replication
        • Designating a Replication Source
        • HDFS Replication
          • Monitoring the Performance of HDFS Replications
        • Hive/Impala Replication
          • Monitoring the Performance of Hive/Impala Replications
        • Replicating Data to Impala Clusters
        • Using Snapshots with Replication
        • Enabling Replication Between Clusters with Kerberos Authentication
        • Replication of Encrypted Data
        • HBase Replication
      • Snapshots
        • Cloudera Manager Snapshot Policies
        • Managing HBase Snapshots
        • Managing HDFS Snapshots
      • BDR Tutorials
        • How To Back Up and Restore Apache Hive Data Using Cloudera Enterprise BDR
        • How To Back Up and Restore HDFS Data Using Cloudera Enterprise BDR
        • BDR Automation Examples
    • Backing Up Databases
    • Cloudera Manager Administration
      • Starting, Stopping, and Restarting the Cloudera Manager Server
      • Configuring Cloudera Manager Server Ports
      • Moving the Cloudera Manager Server to a New Host
      • Managing the Cloudera Manager Server Log
      • Cloudera Manager Agents
        • Starting, Stopping, and Restarting Cloudera Manager Agents
        • Configuring Cloudera Manager Agents
        • Managing Cloudera Manager Agent Logs
      • Changing Hostnames
      • Configuring Network Settings
      • Alerts
        • Managing Alerts
          • Configuring Alert Email Delivery
          • Configuring Alert SNMP Delivery
          • Configuring Custom Alert Scripts
      • Managing Licenses
      • Sending Usage and Diagnostic Data to Cloudera
      • Exporting and Importing Cloudera Manager Configuration
      • Backing up Cloudera Manager
      • Other Cloudera Manager Tasks and Settings
      • Cloudera Management Service
    • Cloudera Navigator Administration
    • Accessing Storage Using Amazon S3
      • Configuring the Amazon S3 Connector
        • Using S3 Credentials with YARN, MapReduce, or Spark
      • Using Fast Upload with Amazon S3
      • Configuring and Managing S3Guard
      • How to Configure a MapReduce Job to Access S3 with an HDFS Credstore
    • Accessing Storage Using Microsoft ADLS
      • Configuring ADLS Access Using Cloudera Manager
      • Configuring ADLS Connectivity for CDH
    • How To Create a Multitenant Enterprise Data Hub
  • CLI Admin Guide
    • Managing CDH Using the Command Line
      • Starting CDH Services Using the Command Line
        • Configuring init to Start Hadoop System Services
      • Stopping CDH Services Using the Command Line
      • Maintaining a ZooKeeper Server
      • Migrating Data between Clusters Using distcp
        • Copying Cluster Data Using DistCp
        • Copying Data between a Secure and an Insecure Cluster using DistCp and WebHDFS
        • Post-migration Verification
      • Decommissioning DataNodes Using the Command Line
  • Cloudera Navigator Data Management
    • Overview
      • Cloudera Navigator Console
      • Data Stewardship Dashboard
    • Auditing
      • Using Audit Events to Understand Cluster Activity
      • Exploring Audit Data
      • Cloudera Navigator Audit Event Reports
    • Metadata
      • Defining Properties for Managed Metadata
      • Adding and Editing Metadata
      • Finding Specific Entities by Searching Metadata
      • Performing Actions on Entities
      • Using Policies to Automate Metadata Tagging
        • Metadata Policy Expressions
    • Lineage Diagrams
      • Using the Lineage View
      • Using Lineage to Display Table Schema
      • Generating Lineage Diagrams
    • Administration (Navigator Console)
      • Administering Navigator User Roles
      • Managing Metadata Storage with Purge
    • Navigator Configuration and Management
      • Accessing Navigator Data Management Logs
      • Backing Up Cloudera Navigator Data
      • Authentication and Authorization
      • Configuring Cloudera Navigator to work with Hue HA
      • Encryption (TLS/SSL) and Cloudera Navigator
      • Limiting Sensitive Data in Navigator Logs
      • Preventing Concurrent Logins from the Same User
      • Navigator Audit Server Management
        • Setting Up Navigator Audit Server
        • Enabling Audit and Log Collection for Services
        • Configuring Audit Properties
        • Monitoring Navigator Audit Service Health
        • Publishing Audit Events
        • Maintaining Navigator Audit Server
      • Navigator Metadata Server Management
        • Setting Up Navigator Metadata Server
        • Navigator Metadata Server Tuning
        • Hive and Impala Lineage Configuration
        • Configuring and Managing Extraction
        • Configuring the Server for Policy Messages
    • Cloudera Navigator and the Cloud
      • Using Cloudera Navigator with Altus Clusters
        • Configuring Extraction for Altus Clusters on AWS
      • Using Cloudera Navigator with Amazon S3
        • Configuring Extraction for Amazon S3
    • Cloudera Navigator APIs
      • Navigator APIs Overview
      • Applying Metadata to HDFS and Hive Entities using the API
      • Using the Purge APIs for Metadata Maintenance Tasks
    • Cloudera Navigator Reference
      • Lineage Diagram Icons
      • Search Syntax and Properties
      • Service Audit Events
      • Service Metadata Entity Types
      • User Roles and Privileges Reference
    • Troubleshooting Navigator Data Management
  • Cloudera Operation
    • Monitoring and Diagnostics
      • Introduction to Cloudera Manager Monitoring
        • Time Line
        • Health Tests
        • Cloudera Manager Admin Console Home Page
        • Viewing Charts for Cluster, Service, Role, and Host Instances
        • Configuring Monitoring Settings
      • Monitoring Clusters
      • Monitoring Multiple CDH Deployments Using the Multi Cloudera Manager Dashboard
        • Installing and Managing the Multi Cloudera Manager Dashboard
        • Using the Multi Cloudera Manager Status Dashboard
      • Monitoring Services
        • Monitoring Service Status
        • Viewing Service Status
        • Viewing Service Instance Details
        • Viewing Role Instance Status
          • The Processes Tab
        • Running Diagnostic Commands for Roles
        • Periodic Stacks Collection
        • Viewing Running and Recent Commands
        • Monitoring Resource Management
      • Monitoring Hosts
        • Host Details
        • Host Inspector
      • Monitoring Activities
        • Monitoring MapReduce Jobs
          • Viewing and Filtering MapReduce Activities
          • Viewing the Jobs in a Pig, Oozie, or Hive Activity
          • Task Attempts
          • Viewing Activity Details in a Report Format
          • Comparing Similar Activities
          • Viewing the Distribution of Task Attempts
        • Monitoring Impala Queries
          • Query Details
        • Monitoring YARN Applications
        • Monitoring Spark Applications
      • Events
      • Triggers
        • Cloudera Manager Trigger Use Cases
      • Lifecycle and Security Auditing
      • Charting Time-Series Data
        • Dashboards
        • tsquery Language
        • Metric Aggregation
      • Logs
        • Viewing the Cloudera Manager Server Log
        • Viewing the Cloudera Manager Agent Logs
        • Managing Disk Space for Log Files
      • Reports
        • Directory Usage Report
        • Disk Usage Reports
        • Activity, Application, and Query Reports
        • The File Browser
        • Downloading HDFS Directory Access Permission Reports
      • Troubleshooting Cluster Configuration and Operation
    • Cloudera Manager Entity Types
    • Cloudera Manager Entity Type Attributes
    • Cloudera Manager Events
      • LOG_MESSAGE Category
      • SYSTEM Category
      • ACTIVITY_EVENT Category
      • AUDIT_EVENT Category
      • HBASE Category
      • HEALTH_CHECK Category
    • Cloudera Manager Health Tests
      • Active Database Health Tests
      • Active Key Trustee Server Health Tests
      • Activity Monitor Health Tests
      • Alert Publisher Health Tests
      • Beeswax Server Health Tests
      • Cloudera Management Service Health Tests
      • DataNode Health Tests
      • Event Server Health Tests
      • Failover Controller Health Tests
      • Flume Health Tests
      • Flume Agent Health Tests
      • Garbage Collector Health Tests
      • HBase Health Tests
      • HBase REST Server Health Tests
      • HBase Thrift Server Health Tests
      • HDFS Health Tests
      • History Server Health Tests
      • Hive Health Tests
      • Hive Metastore Server Health Tests
      • HiveServer2 Health Tests
      • Host Health Tests
      • Host Monitor Health Tests
      • HttpFS Health Tests
      • Hue Health Tests
      • Hue Server Health Tests
      • Impala Health Tests
      • Impala Catalog Server Health Tests
      • Impala Daemon Health Tests
      • Impala Llama ApplicationMaster Health Tests
      • Impala StateStore Health Tests
      • JobHistory Server Health Tests
      • JobTracker Health Tests
      • JournalNode Health Tests
      • Kafka Health Tests
      • Kafka Broker Health Tests
      • Kafka MirrorMaker Health Tests
      • Kerberos Ticket Renewer Health Tests
      • Key Management Server Health Tests
      • Key Management Server Proxy Health Tests
      • Key-Value Store Indexer Health Tests
      • Lily HBase Indexer Health Tests
      • Load Balancer Health Tests
      • Logger Health Tests
      • MapReduce Health Tests
      • Master Health Tests
      • Monitor Health Tests
      • NFS Gateway Health Tests
      • NameNode Health Tests
      • Navigator Audit Server Health Tests
      • Navigator HSM KMS Metastore Health Tests
      • Navigator HSM KMS Proxy Health Tests
      • Navigator Metadata Server Health Tests
      • NodeManager Health Tests
      • Oozie Health Tests
      • Oozie Server Health Tests
      • Passive Database Health Tests
      • Passive Key Trustee Server Health Tests
      • RegionServer Health Tests
      • Reports Manager Health Tests
      • ResourceManager Health Tests
      • SecondaryNameNode Health Tests
      • Sentry Health Tests
      • Sentry Server Health Tests
      • Service Monitor Health Tests
      • Solr Health Tests
      • Solr Server Health Tests
      • Spark Health Tests
      • Spark (Standalone) Health Tests
      • Spark 2 Health Tests
      • Sqoop 2 Health Tests
      • Sqoop 2 Server Health Tests
      • Tablet Server Health Tests
      • TaskTracker Health Tests
      • Telemetry Publisher Health Tests
      • Tracer Health Tests
      • WebHCat Server Health Tests
      • Worker Health Tests
      • YARN (MR2 Included) Health Tests
      • ZooKeeper Health Tests
      • ZooKeeper Server Health Tests
    • Cloudera Manager Metrics
      • Accumulo Metrics
      • Accumulo 1.4 Metrics
      • Active Database Metrics
      • Active Key Trustee Server Metrics
      • Activity Metrics
      • Activity Monitor Metrics
      • Agent Metrics
      • Alert Publisher Metrics
      • Attempt Metrics
      • Beeswax Server Metrics
      • Cloudera Management Service Metrics
      • Cloudera Manager Server Metrics
      • Cluster Metrics
      • DataNode Metrics
      • Directory Metrics
      • Disk Metrics
      • Event Server Metrics
      • Failover Controller Metrics
      • Filesystem Metrics
      • Flume Metrics
      • Flume Channel Metrics
      • Flume Sink Metrics
      • Flume Source Metrics
      • Garbage Collector Metrics
      • HBase Metrics
      • HBase REST Server Metrics
      • HBase RegionServer Replication Peer Metrics
      • HBase Thrift Server Metrics
      • HDFS Metrics
      • HDFS Cache Directive Metrics
      • HDFS Cache Pool Metrics
      • HRegion Metrics
      • HTable Metrics
      • History Server Metrics
      • Hive Metrics
      • Hive Metastore Server Metrics
      • HiveServer2 Metrics
      • Host Metrics
      • Host Monitor Metrics
      • HttpFS Metrics
      • Hue Metrics
      • Hue Server Metrics
      • Impala Metrics
      • Impala Catalog Server Metrics
      • Impala Daemon Metrics
      • Impala Daemon Resource Pool Metrics
      • Impala Llama ApplicationMaster Metrics
      • Impala Pool Metrics
      • Impala Pool User Metrics
      • Impala Query Metrics
      • Impala StateStore Metrics
      • Isilon Metrics
      • Java KeyStore KMS Metrics
      • JobHistory Server Metrics
      • JobTracker Metrics
      • JournalNode Metrics
      • Kafka Metrics
      • Kafka Broker Metrics
      • Kafka Broker Topic Metrics
      • Kafka MirrorMaker Metrics
      • Kafka Replica Metrics
      • Kerberos Ticket Renewer Metrics
      • Key Management Server Metrics
      • Key Management Server Proxy Metrics
      • Key Trustee KMS Metrics
      • Key Trustee Server Metrics
      • Key-Value Store Indexer Metrics
      • Kudu Metrics
      • Kudu Replica Metrics
      • Lily HBase Indexer Metrics
      • Load Balancer Metrics
      • Logger Metrics
      • MapReduce Metrics
      • Master Metrics
      • Monitor Metrics
      • NFS Gateway Metrics
      • NameNode Metrics
      • Navigator Audit Server Metrics
      • Navigator HSM KMS Metastore Metrics
      • Navigator HSM KMS Proxy Metrics
      • Navigator HSM KMS backed by SafeNet Luna HSM Metrics
      • Navigator HSM KMS backed by Thales HSM Metrics
      • Navigator Metadata Server Metrics
      • Network Interface Metrics
      • NodeManager Metrics
      • Oozie Metrics
      • Oozie Server Metrics
      • Passive Database Metrics
      • Passive Key Trustee Server Metrics
      • RegionServer Metrics
      • Reports Manager Metrics
      • ResourceManager Metrics
      • SecondaryNameNode Metrics
      • Sentry Metrics
      • Sentry Server Metrics
      • Server Metrics
      • Service Monitor Metrics
      • Solr Metrics
      • Solr Replica Metrics
      • Solr Server Metrics
      • Solr Shard Metrics
      • Spark Metrics
      • Spark (Standalone) Metrics
      • Spark 2 Metrics
      • Sqoop 1 Client Metrics
      • Sqoop 2 Metrics
      • Sqoop 2 Server Metrics
      • Tablet Server Metrics
      • TaskTracker Metrics
      • Telemetry Publisher Metrics
      • Time Series Table Metrics
      • Tracer Metrics
      • User Metrics
      • WebHCat Server Metrics
      • Worker Metrics
      • YARN (MR2 Included) Metrics
      • YARN Pool Metrics
      • YARN Pool User Metrics
      • ZooKeeper Metrics
      • Disabling Metrics for Specific Roles
  • Cloudera Security
    • Cloudera Security Overview
      • Authentication Overview
      • Encryption Overview
        • Encryption Mechanisms
      • Authorization Overview
      • Auditing and Data Governance
    • Authentication
      • Kerberos Security Artifacts Overview
      • Configuring Authentication in Cloudera Manager
        • Cloudera Manager User Accounts
        • Configuring External Authentication for Cloudera Manager
        • Enabling Kerberos Authentication Using the Wizard
          • Step 1: Install Cloudera Manager and CDH
          • Step 2: Installing JCE Policy File for AES-256 Encryption
          • Step 3: Create the Kerberos Principal for Cloudera Manager Server
          • Step 4: Enabling Kerberos Using the Wizard
          • Step 5: Create the HDFS Superuser
          • Step 6: Get or Create a Kerberos Principal for Each User Account
          • Step 7: Prepare the Cluster for Each User
          • Step 8: Verify that Kerberos Security is Working
          • Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
        • Kerberos Authentication for Single User Mode and Non-Default Users
        • Customizing Kerberos Principals
        • Managing Kerberos Credentials Using Cloudera Manager
        • Using a Custom Kerberos Keytab Retrieval Script
        • Adding Trusted Realms to the Cluster
        • Using Auth-to-Local Rules to Isolate Cluster Users
      • Configuring Authentication for Cloudera Navigator
        • Cloudera Navigator and External Authentication
          • Configuring Cloudera Navigator for Active Directory
          • Configuring Cloudera Navigator for LDAP
          • Configuring Cloudera Navigator for SAML
        • Configuring Groups for Cloudera Navigator
      • Configuring Authentication in CDH Using the Command Line
        • Enabling Kerberos Authentication for Hadoop Using the Command Line
          • Step 1: Install CDH 5
          • Step 2: Verify User Accounts and Groups in CDH 5 Due to Security
          • Step 3: If you are Using AES-256 Encryption, Install the JCE Policy File
          • Step 4: Create and Deploy the Kerberos Principals and Keytab Files
          • Step 5: Shut Down the Cluster
          • Step 6: Enable Hadoop Security
          • Step 7: Configure Secure HDFS
          • Optional Step 8: Configuring Security for HDFS High Availability
          • Optional Step 9: Configure secure WebHDFS
          • Optional Step 10: Configuring a secure HDFS NFS Gateway
          • Step 11: Set Variables for Secure DataNodes
          • Step 12: Start up the NameNode
          • Step 12: Start up a DataNode
          • Step 14: Set the Sticky Bit on HDFS Directories
          • Step 15: Start up the Secondary NameNode (if used)
          • Step 16: Configure Either MRv1 Security or YARN Security
            • Configuring MRv1 Security
            • Configuring YARN Security
        • FUSE Kerberos Configuration
        • Using kadmin to Create Kerberos Keytab Files
        • Hadoop Users (user:group) and Kerberos Principals
        • Mapping Kerberos Principals to Short Names
      • Configuring Authentication for Other Components
        • Flume Authentication
          • Configuring Kerberos for Flume Sinks
          • Configuring Kerberos for Flume Thrift Source and Sink Using Cloudera Manager
          • Configuring Kerberos for Flume Thrift Source and Sink Using the Command Line
          • Flume Account Requirements
          • Testing the Flume HDFS Sink Configuration
          • Writing to a Secure HBase Cluster
          • Using Substitution Variables with Flume for Kerberos Artifacts
        • HBase Authentication
          • Configuring Kerberos Authentication for HBase
          • Configuring Secure HBase Replication
          • Configuring the HBase Client TGT Renewal Period
        • HCatalog Authentication
        • Hive Authentication
          • HiveServer2 Security Configuration
          • Hive Metastore Server Security Configuration
          • Using Hive to Run Queries on a Secure HBase Server
        • HttpFS Authentication
        • Hue Authentication
          • Configuring Kerberos Authentication for Hue
          • Enable Hue to Use Kerberos for Authentication
        • Impala Authentication
          • Enabling Kerberos Authentication for Impala
          • Enabling LDAP Authentication for Impala
          • Using Multiple Authentication Methods with Impala
          • Configuring Impala Delegation for Hue and BI Tools
        • Llama Authentication
        • Configuring Oozie Authentication
          • Configuring Kerberos Authentication for the Oozie Server
          • Configuring Oozie HA with Kerberos
        • Solr Authentication
          • Using Kerberos with Solr
        • Spark Authentication
          • Configuring Spark on YARN for Long-Running Applications
        • Sqoop 2 Authentication
        • Sqoop 1, Pig, and Whirr Security
        • ZooKeeper Authentication
      • Configuring a Dedicated MIT KDC for Cross-Realm Trust
      • Integrating MIT Kerberos and Active Directory
    • Authorization
      • Cloudera Manager User Roles
      • HDFS Extended ACLs
      • Authorization for HDFS Web UIs
      • Configuring LDAP Group Mappings
      • Authorization With Apache Sentry
      • Configuring HBase Authorization
    • Encrypting Data in Transit
      • Understanding Keystores and Truststores
      • Configuring TLS Encryption for Cloudera Manager
      • Configuring TLS/SSL Encryption for CDH Services
        • Configuring TLS/SSL for HDFS, YARN and MapReduce
        • Configuring TLS/SSL for HBase
        • Configuring TLS/SSL for Flume Thrift Source and Sink
        • Configuring Encrypted Communication Between HiveServer2 and Client Drivers
        • Configuring TLS/SSL for Hue
        • Configuring TLS/SSL for Impala
        • Configuring TLS/SSL for Oozie
        • Configuring TLS/SSL for Solr
        • Spark Encryption
        • Configuring TLS/SSL for HttpFS
        • Encrypted Shuffle and Encrypted Web UIs
      • Configuring TLS/SSL for Navigator Audit Server
      • Configuring TLS/SSL for Navigator Metadata Server
      • Configuring TLS/SSL for Kafka (Navigator Event Broker)
      • Configuring Encrypted Transport for HDFS
      • Configuring Encrypted Transport for HBase
    • Encrypting Data at Rest
      • Data at Rest Encryption Reference Architecture
      • Data at Rest Encryption Requirements
      • Resource Planning for Data at Rest Encryption
      • HDFS Transparent Encryption
        • Optimizing Performance for HDFS Transparent Encryption
        • Enabling HDFS Encryption Using the Wizard
        • Managing Encryption Keys and Zones
        • Configuring the Key Management Server (KMS)
        • Securing the Key Management Server (KMS)
          • Configuring KMS Access Control Lists (ACLs)
        • Migrating from a Key Trustee KMS to an HSM KMS
        • Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server
        • Configuring CDH Services for HDFS Encryption
    • Cloudera Navigator Key Trustee Server
      • Backing Up and Restoring Key Trustee Server and Clients
      • Initializing Standalone Key Trustee Server
      • Configuring a Mail Transfer Agent for Key Trustee Server
      • Verifying Cloudera Navigator Key Trustee Server Operations
      • Managing Key Trustee Server Organizations
      • Managing Key Trustee Server Certificates
    • Cloudera Navigator Key HSM
      • Initializing Navigator Key HSM
      • HSM-Specific Setup for Cloudera Navigator Key HSM
      • Validating Key HSM Settings
      • Managing the Navigator Key HSM Service
      • Integrating Key HSM with Key Trustee Server
    • Cloudera Navigator Encrypt
      • Registering Cloudera Navigator Encrypt with Key Trustee Server
      • Preparing for Encryption Using Cloudera Navigator Encrypt
      • Encrypting and Decrypting Data Using Cloudera Navigator Encrypt
      • Migrating eCryptfs-Encrypted Data to dm-crypt
      • Navigator Encrypt Access Control List
      • Maintaining Cloudera Navigator Encrypt
    • Configuring Encryption for Data Spills
      • Configuring Encrypted On-disk File Channels for Flume
    • Impala Security Overview
      • Security Guidelines for Impala
      • Securing Impala Data and Log Files
      • Installation Considerations for Impala Security
      • Securing the Hive Metastore Database
      • Securing the Impala Web User Interface
    • Kudu Security Overview
    • Security How-To Guides
      • Add Root and Intermediate CAs to Truststore for TLS/SSL
      • Amazon S3 Security
      • Authenticate Kerberos Principals Using Java
      • Check Cluster Security Settings
      • Configure Antivirus Software on CDH Hosts
      • Configure Browser-based Interfaces to Require Authentication (SPNEGO)
      • Configure Browsers for Kerberos Authentication (SPNEGO)
      • Configure Cluster to Use Kerberos Authentication
      • Convert DER, JKS, PEM Files for TLS/SSL Artifacts
      • Configure Authentication for Amazon S3
      • Configure Encryption for Amazon S3
      • Configure AWS Credentials
      • Enable Sensitive Data Redaction
      • Log a Security Support Case
      • Obtain and Deploy Keys and Certificates for TLS/SSL
      • Renew and Redistribute Certificates
      • Set Up a Gateway Node to Restrict Access to the Cluster
      • Set Up Access to Cloudera EDH or Altus Director (Microsoft Azure Marketplace)
      • Use Self-Signed Certificates for TLS
    • Troubleshooting Security Issues
      • Error Messages
      • Authentication and Kerberos Issues
      • HDFS Encryption Issues
      • Key Trustee KMS Encryption Issues
      • TLS/SSL Issues
      • YARN, MRv1, and Linux OS Security
        • TaskController Error Codes (MRv1)
        • ContainerExecutor Error Codes (YARN)
  • File Formats and Compression
    • Parquet
    • Avro
    • Data Compression
    • Snappy Compression
  • Flume Guide
    • Configuring
      • Configuring the Flume Properties File
      • Files Installed by the Flume RPM and Debian Packages
      • Configuring Flume Security with Kafka
    • Using & Managing
      • Running Flume
      • Supported Sources, Sinks, and Channels
      • Viewing the Flume Documentation
  • HBase Guide
    • Configuring
      • Starting HBase in Standalone Mode
      • Configuring HBase in Pseudo-Distributed Mode
      • Deploying HBase on a Cluster
      • Accessing HBase by using the HBase Shell
      • Configuring HBase Online Merge
      • Using MapReduce with HBase
      • Configuring HBase Garbage Collection
      • Configuring the HBase Canary
      • Configuring the Blocksize for HBase
      • Configuring the HBase BlockCache
      • Configuring the HBase Scanner Heartbeat
      • Limiting the Speed of Compactions
      • Configuring and Using the HBase REST API
      • Configuring HBase MultiWAL Support
      • Storing Medium Objects (MOBs) in HBase
      • Configuring the Storage Policy for the Write-Ahead Log (WAL)
    • Managing
      • Starting and Stopping HBase
        • Starting and Stopping HBase Using the Command Line
      • Accessing HBase by using the HBase Shell
      • Using HBase Command-Line Utilities
      • Checking and Repairing HBase Tables
      • Hedged Reads
      • Reading Data from HBase
      • HBase Filtering
      • Writing Data to HBase
      • Importing Data Into HBase
      • Exposing HBase Metrics to a Ganglia Server
      • Using HashTable and SyncTable Tool
    • Security
    • Troubleshooting
  • Hive Guide
    • Installation and Upgrade
    • Configuring
      • Configuring Hive Metastore
      • Configuring HiveServer2
      • Starting the Metastore
      • File System Permissions
      • Starting, Stopping, & Using HS2
      • Starting HS1 and Hive CLI (deprecated)
      • Using Hive w/HBase
      • Using Schema Tool
      • Installing JDBC Driver on Clients
      • Setting HADOOP_MAPRED_HOME
      • Configuring HMS for HDFS HA
    • Using & Managing
      • Managing Hive with Cloudera Manager
      • Ingesting & Querying Data
      • Running Hive on Spark
      • Using HS2 Web UI
      • Accessing Table Statistics
      • Managing UDFs
      • Hive ETL Jobs on S3
      • Hive with Amazon RDS
      • Hive with ADLS
    • Tuning
      • Tuning Hive on Spark
      • Tuning Hive on S3
      • Configuring Metastore HA
      • Configuring HS2 HA
    • Data Replication
    • Security
    • HCatalog
      • HCatalog Prerequisites
      • Configuration Change on Hosts Used with HCatalog
      • Accessing Table Information with the HCatalog Command-line API
      • Accessing Table Data with MapReduce
      • Accessing Table Data with Pig
      • Accessing Table Information with REST
      • Viewing the HCatalog Documentation
    • Troubleshooting
  • Hue
    • Hue Versions
    • Installation & Upgrade
    • Using
      • Enable SQL Editor Autocompleter
      • Use Governance-Based Data Discovery
      • Use S3 as Source or Sink in Hue
    • Administration
      • Configuring
      • Customize Hue Web UI
      • Enable Governance-Based Data Discovery
      • Enable S3 Cloud Storage
      • Run Shell Commands
      • Connecting a Database
        • Connect to MySQL or MariaDB
        • Connect to PostgreSQL
        • Connect to Oracle (Parcel)
        • Connect to Oracle (Package)
        • Custom Database Tutorial
      • Migrate the Database
      • Populate the Database
    • Performance Tuning
      • Add Load Balancer
      • Configure High Availability
      • Hue/HDFS High Availability
    • Security
      • User Permissions
      • Create Password Scripts
      • Authenticate Users with LDAP
      • Synchronize with LDAP Server
      • Authenticate Users with SAML
      • Authorize Groups with Sentry
    • Troubleshooting
      • Potential Misconfiguration
      • Unable to connect to database with provided credential
      • Unable to view Snappy-compressed files
      • “Unknown Attribute Name” exception while enabling SAML
      • Invalid query handle
      • Services backed by Postgres fail or hang
      • Downloading query results from Hue takes long time
      • Bad status: 3 (PLAIN auth failed: Error validating LDAP user)
  • Impala Guide
    • Concepts and Architecture
      • Components
      • Developing Applications
      • Role in the Hadoop Ecosystem
    • Deployment Planning
      • Impala Requirements
      • Designing Schemas
    • Tutorials
    • Administration
      • How to Configure Resource Management for Impala
      • Setting Timeouts
      • Load-Balancing Proxy for HA
      • Managing Disk Space
      • Auditing
      • Viewing Lineage Info
    • SQL Reference
      • Comments
      • Data Types
        • ARRAY Complex Type (CDH 5.5 or higher only)
        • BIGINT
        • BOOLEAN
        • CHAR
        • DECIMAL
        • DOUBLE
        • FLOAT
        • INT
        • MAP Complex Type (CDH 5.5 or higher only)
        • REAL
        • SMALLINT
        • STRING
        • STRUCT Complex Type (CDH 5.5 or higher only)
        • TIMESTAMP
        • TINYINT
        • VARCHAR
        • Complex Types (CDH 5.5 or higher only)
      • Literals
      • SQL Operators
      • Schema Objects and Object Names
        • Aliases
        • Databases
        • Functions
        • Identifiers
        • Tables
        • Views
      • SQL Statements
        • DDL Statements
        • DML Statements
        • ALTER TABLE
        • ALTER VIEW
        • COMPUTE STATS
        • CREATE DATABASE
        • CREATE FUNCTION
        • CREATE ROLE
        • CREATE TABLE
        • CREATE VIEW
        • DELETE
        • DESCRIBE
        • DROP DATABASE
        • DROP FUNCTION
        • DROP ROLE
        • DROP STATS
        • DROP TABLE
        • DROP VIEW
        • EXPLAIN
        • GRANT
        • INSERT
        • INVALIDATE METADATA
        • LOAD DATA
        • REFRESH
        • REFRESH FUNCTIONS
        • REVOKE
        • SELECT
          • Joins
          • ORDER BY Clause
          • GROUP BY Clause
          • HAVING Clause
          • LIMIT Clause
          • OFFSET Clause
          • UNION Clause
          • Subqueries
          • TABLESAMPLE Clause
          • WITH Clause
          • DISTINCT Operator
        • SET
          • Query Options for the SET Statement
            • ABORT_ON_DEFAULT_LIMIT_EXCEEDED
            • ABORT_ON_ERROR
            • ALLOW_UNSUPPORTED_FORMATS
            • APPX_COUNT_DISTINCT
            • BATCH_SIZE
            • BUFFER_POOL_LIMIT
            • COMPRESSION_CODEC
            • COMPUTE_STATS_MIN_SAMPLE_SIZE
            • DEBUG_ACTION
            • DECIMAL_V2
            • DEFAULT_JOIN_DISTRIBUTION_MODE
            • DEFAULT_ORDER_BY_LIMIT
            • DEFAULT_SPILLABLE_BUFFER_SIZE
            • DISABLE_CODEGEN
            • DISABLE_CODEGEN_ROWS_THRESHOLD
            • DISABLE_ROW_RUNTIME_FILTERING
            • DISABLE_STREAMING_PREAGGREGATIONS
            • DISABLE_UNSAFE_SPILLS
            • ENABLE_EXPR_REWRITES
            • EXEC_SINGLE_NODE_ROWS_THRESHOLD
            • EXEC_TIME_LIMIT_S
            • EXPLAIN_LEVEL
            • HBASE_CACHE_BLOCKS
            • HBASE_CACHING
            • IDLE_SESSION_TIMEOUT
            • LIVE_PROGRESS
            • LIVE_SUMMARY
            • MAX_ERRORS
            • MAX_IO_BUFFERS
            • MAX_NUM_RUNTIME_FILTERS
            • MAX_ROW_SIZE
            • MAX_SCAN_RANGE_LENGTH
            • MEM_LIMIT
            • MIN_SPILLABLE_BUFFER_SIZE
            • MT_DOP
            • NUM_NODES
            • NUM_SCANNER_THREADS
            • OPTIMIZE_PARTITION_KEY_SCANS
            • PARQUET_COMPRESSION_CODEC
            • PARQUET_ANNOTATE_STRINGS_UTF8
            • PARQUET_ARRAY_RESOLUTION
            • PARQUET_DICTIONARY_FILTERING
            • PARQUET_FALLBACK_SCHEMA_RESOLUTION
            • PARQUET_FILE_SIZE
            • PARQUET_READ_STATISTICS
            • PREFETCH_MODE
            • QUERY_TIMEOUT_S
            • REQUEST_POOL
            • REPLICA_PREFERENCE
            • RUNTIME_BLOOM_FILTER_SIZE
            • RUNTIME_FILTER_MAX_SIZE
            • RUNTIME_FILTER_MIN_SIZE
            • RUNTIME_FILTER_MODE
            • RUNTIME_FILTER_WAIT_TIME_MS
            • S3_SKIP_INSERT_STAGING
            • SCAN_NODE_CODEGEN_THRESHOLD
            • SCHEDULE_RANDOM_REPLICA
            • SCRATCH_LIMIT
            • SUPPORT_START_OVER
            • SYNC_DDL
        • SHOW
        • TRUNCATE TABLE
        • UPDATE
        • UPSERT
        • USE
        • VALUES
        • Optimizer Hints
      • Built-In Functions
        • Mathematical Functions
        • Bit Functions
        • Type Conversion Functions
        • Date and Time Functions
        • Conditional Functions
        • String Functions
        • Miscellaneous Functions
        • Aggregate Functions
          • APPX_MEDIAN
          • AVG
          • COUNT
          • GROUP_CONCAT
          • MAX
          • MIN
          • NDV
          • STDDEV, STDDEV_SAMP, STDDEV_POP
          • SUM
          • VARIANCE, VARIANCE_SAMP, VARIANCE_POP, VAR_SAMP, VAR_POP
        • Analytic Functions
      • User-Defined Functions (UDFs)
      • SQL Differences Between Impala and Hive
      • Porting SQL
    • The Impala Shell
      • Configuration Options
      • Connecting to impalad
      • Running Commands and SQL Statements
      • Command Reference
    • Performance Tuning
      • Performance Best Practices
      • Join Performance
      • Table and Column Statistics
      • Benchmarking
      • Controlling Resource Usage
      • Runtime Filtering
      • HDFS Caching
      • Testing Impala Performance
      • EXPLAIN Plans and Query Profiles
      • HDFS Block Skew
    • Scalability Considerations
      • Scaling Limits and Guidelines
      • Dedicated Coordinators
    • Partitioning
    • File Formats
      • Text Data Files
      • Parquet Data Files
      • Avro Data Files
      • RCFile Data Files
      • SequenceFile Data Files
    • Using Impala to Query Kudu Tables
    • HBase Tables
    • S3 Tables
      • Configure with Cloudera Manager
      • Configure from Command Line
    • ADLS Tables
    • Isilon Storage
    • Logging
    • Troubleshooting Impala
      • Web User Interface
      • Breakpad Minidumps
    • Ports Used by Impala
    • Impala Reserved Words
    • Impala Frequently Asked Questions
  • Kudu Guide
    • Concepts and Architecture
    • Usage Limitations
    • Installation and Upgrade
    • Configuration
    • Administration
    • Developing Applications with Kudu
    • Using Apache Impala with Kudu
    • Schema Design
    • Transaction Semantics
    • Background Tasks
    • Scaling Guide
    • Troubleshooting
    • More Resources
  • Oozie Guide
    • Configuration
      • Configuring Oozie
      • Configuring an External Database for Oozie
      • Oozie High Availability
      • Configuring Oozie to Use HDFS HA
      • Configuring Oozie Authentication
      • Using Sqoop Actions with Oozie
      • Configuring Oozie to Enable MapReduce Jobs To Read/Write from Amazon S3
      • Configuring Oozie to Enable MapReduce Jobs To Read/Write from Microsoft Azure (ADLS)
    • Using and Managing Oozie
      • Starting, Stopping, and Accessing the Oozie Server
      • Adding the Oozie Service Using Cloudera Manager
      • Redeploying the Oozie ShareLib
      • Configuring Oozie Data Purge Settings Using Cloudera Manager
      • Dumping and Loading an Oozie Database Using Cloudera Manager
      • Adding Schema to Oozie Using Cloudera Manager
      • Enabling the Oozie Web Console
      • Enabling Oozie SLA with Cloudera Manager
      • Setting the Oozie Database Timezone
      • Scheduling in Oozie Using Cron-like Syntax
  • Search Guide
    • Deployment Planning for Cloudera Search
      • Schemaless Mode
    • Deploying Cloudera Search
      • Using Search through a Proxy for High Availability
      • Using Custom JAR Files with Search
    • Cloudera Search Tutorial
      • Validating the Cloudera Search Deployment
      • Preparing to Index Sample Tweets with Cloudera Search
      • Using MapReduce Batch Indexing to Index Sample Tweets
      • Near Real Time (NRT) Indexing Tweets Using Flume
      • Using Hue with Cloudera Search
    • Cloudera Search Security
    • Managing Cloudera Search
      • Managing Cloudera Search Configuration
      • Managing Collections in Cloudera Search
      • solrctl Reference
      • Example solrctl Usage
      • Migrating Solr Replicas
      • Backing Up and Restoring Cloudera Search
    • ETL With Cloudera Morphlines
      • Example Morphline Usage
    • Indexing Data
      • NRT Indexing
        • Flume NRT Indexing
          • Flume MorphlineSolrSink Configuration Options
          • Flume MorphlineInterceptor Configuration Options
          • Flume Solr UUIDInterceptor Configuration Options
          • Flume Solr BlobHandler Configuration Options
          • Flume Solr BlobDeserializer Configuration Options
        • Lily HBase NRT Indexing
          • Using the Lily HBase NRT Indexer Service
          • Configuring Lily HBase Indexer Security
      • Batch Indexing
        • Spark Indexing
        • MapReduce Indexing
          • MapReduceIndexerTool
          • Lily HBase Batch Indexing
          • HdfsFindTool
    • Cloudera Search Frequently Asked Questions
    • Troubleshooting Cloudera Search
      • Static Solr Log Analysis
  • Sentry Guide
    • Before You Install Sentry
    • Installing and Upgrading the Sentry Service
    • Configuring
      • Migrating from Sentry Policy Files to the Sentry Service
      • Sentry High Availability
      • Enabling Sentry Authorization for Impala
      • Configuring Sentry Authorization for Cloudera Search
    • Using & Managing
      • Synchronizing HDFS ACLs and Sentry Permissions
      • Hive SQL Syntax for Use with Sentry
      • Using the Sentry Web Server
      • Sentry Debugging and Failure Scenarios
    • Policy File Authorization
      • Installing and Upgrading Sentry for Policy File Authorization
      • Configuring Sentry Policy File Authorization Using Cloudera Manager
      • Configuring Sentry Policy File Authorization Using the Command Line
    • Troubleshooting
    • How-To Guides
      • Enabling High Availability
      • Verify HDFS ACL Sync
      • Managing Table Access in Hue
  • Spark Guide
    • Running Your First Spark Application
    • Spark Application Overview
    • Developing Spark Applications
      • Developing and Running a Spark WordCount Application
      • Using Spark Streaming
      • Using Spark SQL
      • Using Spark MLlib
      • Accessing External Storage
        • Accessing Data Stored in Amazon S3 through Spark
        • Accessing Data Stored in Azure Data Lake Store (ADLS) through Spark
        • Accessing Avro Data Files From Spark SQL Applications
        • Accessing Parquet Files From Spark SQL Applications
      • Building Spark Applications
      • Configuring Spark Applications
    • Running Spark Applications
      • Running Spark Applications on YARN
      • Using PySpark
        • Running Spark Python Applications
        • Spark and IPython and Jupyter Notebooks
      • Tuning Spark Applications
    • Spark and Hadoop Integration
      • Building and Running a Crunch Application with Spark
  • Cloudera Glossary

Configuring Cloudera Navigator for SAML

Cloudera Navigator supports SAML (Security Assertion Markup Language), an XML-based open standard data format for exchanging authentication and authorization details between identity providers and service providers. One of the main benefits of SAML is that it enables Single Sign-on (SSO) for browser-based clients, such as the Cloudera Navigator console. That means that you can integrate Cloudera Navigator with SSO solutions such as Shibboleth or CA Single Sign-On (formerly, SiteMinder).
Note: Not all SAML identity providers are interoperable. Cloudera Navigator has been tested with Shibboleth and CA Single Sign-On.

Continue reading:

  • Overview of SAML and SSO
  • Preparing Files
  • Configuring the Navigator Metadata Server
  • Configuring the Identity Provider
  • Testing Cloudera Navigator and the SSO Setup
  • Bypassing SAML SSO

Overview of SAML and SSO

The steps below assume you have a functioning SAML IDP already deployed. Here is a brief summary of some of the high level details as background to the configuration tasks:

  • An identity provider or IDP is one of the main functions provided by an organization's SAML/SSO solution. The IDP provides identity assertions (tokens) to service providers that want to identify users when those users request access. service.
  • A service provider or SP, such as Cloudera Navigator, protects itself from unauthorized access by checking the identity of users requesting the service against the IDP. When the SP gets back the assertion from the IDP, the service gives the requesting user the level of access for that user.
  • The service's users or principals obtain access to the SP when they open their browsers to the URL of the service. Transparently to users, the SP—Cloudera Navigator, but specifically the web service hosted on the Navigator Metadata Server—sends an authentication request to the IDP through the user agent (browser) and obtains an identity assertion back from the IDP.
There are two properties that control whether the SSO process is initiated from the IDP or the SP (Navigator):
  • SAML Login URL nav.saml.login.url
  • Skip Authorization Check nav.auth.skip_saml_auth_check (set in Navigator Metadata Server Advanced Configuration Snippet (Safety Valve) for cloudera-navigator.properties)
As shown in the following table, when SAML authentication is enabled, the default Navigator login URL always produces a service-provider initiated SSO process (SP initiated SSO); in this process, users log into the Navigator login page and Navigator sends the authentication request to the identity provider. Specifying a SAML Login URL produces an identity provider-initiated SSO process (IdP initiated SSO); in this process, users log into the identity provider's login page and are redirected to the Navigator console and logged in.
SAML Login URL Property Skip Authorization Check Property No addition to the login URL (/) /login.html /locallogin.html
Set True SP initiated SSO IdP initiated SSO Login page
Set False SP initiated SSO IdP initiated SSO IdP initiated SSO
Not set True SP initiated SSO SP initiated SSO Login page
Not set False SP initiated SSO SP initiated SSO SP initiated SSO

See the OASIS SAML Wiki for more information about SAML.

Preparing Files

You must obtain the following files and information and provide to Cloudera Navigator:

  • A Java keystore containing a private key for Cloudera Navigator to use to sign/encrypt SAML messages.
  • The SAML metadata XML file from your IDP. This file must contain the public certificates needed to verify the sign/encrypt key used by your IDP per the SAML Metadata Interoperability Profile.
  • The entity ID that should be used to identify the Navigator Metadata Server instance.
  • How the user ID is passed in the SAML authentication response:
    • As an attribute. If so, what identifier is used.
    • As the NameID.
  • The method by which the Cloudera Navigator role will be established:
    • From an attribute in the authentication response:
      • What identifier will be used for the attribute
      • What values will be passed to indicate each role
    • From an external script that will be called for each use:
      • The script takes user ID as $1
      • The script must assign an exit code to reflect successful authentication of the assigned role:
        • 0 - Full Administrator
        • 1 - User Administrator
        • 2 - Auditing Viewer
        • 4 - Lineage Viewer
        • 8 - Metadata Administrator
        • 16 - Policy Viewer
        • 32 - Policy Administrator
        • 64 - Custom Metadata Administrator
        • A negative value is returned for a failure to authenticate
        To assign more than one role, add the numbers for the roles. For example, to assign the Policy Viewer and User Administrator roles, the exit code should be 17.

Configuring the Navigator Metadata Server

  1. Select Clusters > Cloudera Management Service.
  2. Click the Configuration tab.
  3. Select Navigator Metadata Server from the Scope filter.
  4. Select External Authentication from the Category filter.
  5. Type SAML in the Search box to display only the SAML relevant settings.
  6. Enter the values for the properties in the table based on your SAML implementation.
    Property Description and usage note
    Authentication Backend Order Set to External then Cloudera Manager.
    External Authentication Type SAML
    Path to SAML IDP Metadata File Set to the location (complete path) of the metadata file obtained from the IDP.
    Path to SAML Keystore File Path to the Java keystore file containing the Cloudera Navigator private key (prepared above).
    SAML Keystore Password Enter the SAML keystore password.
    Alias of SAML Sign/Encrypt Private Key Enter the alias used to identify the private key for Cloudera Navigator to use.
    SAML Sign/Encrypt Private Key Password Enter the password for the sign/encrypt private key.
    SAML Entity ID Default setting is clouderaNavigator. Leave set to the default unless more than one Cloudera Navigator instance is using the same IDP. Each Cloudera Navigator instance needs a unique entity ID as assigned by organizational policy.
    SAML Entity Base URL  
    SAML Response Binding HTTP-Artifact (selected by default), or HTTP-Post
    SAML Login URL (IDP-initiated SSO only) If your IDP does not support SP-initiated SSO (very uncommon), specify the user login URL for the IDP.
    Source of User ID in SAML Response Attribute (selected by default), or NameID—Specifies the source of the user ID, an attribute or NameID. For attribute, also set the attribute name in the SAML Attribute Identifier for User ID property.
    SAML Attribute Identifier for User ID urn:oid:0.9.2342.19200300.100.1.1 (Default) The standard object identifier (OID) for user IDs. This setting is used only when Source of User ID in SAML Response specifies Attribute.
    SAML Role Assignment Mechanism Attribute (selected by default), or Script—Specifies how user roles are assigned to authenticated user:
    • Attribute—Set the SAML Attribute Identifier for User Role and the SAML Attribute Values for Roles properties.
    • Script—A binary or shell script executable that assigns user roles. Set the path to the executable in Path to SAML Role Assignment Script.
    SAML Attribute Identifier for User Role urn:oid:2.5.4.11 (Default) The standard OID typically used for OrganizationalUnits. Can be left to this setting.
    SAML Attribute Values for Roles Set the attribute values that will be used to indicate the user roles. For more than one role, the attribute can return comma-separated values, such as "role1, role2".
    Path to SAML Role Assignment Script Path to executable (binary or shell script) that assigns Cloudera Navigator user roles upon authentication. Required when SAML Role Assignment Mechanism specifies Script.
  7. Click Save Changes.
  8. Restart the Navigator Metadata Server role.

Configuring the Identity Provider

After Cloudera Navigator restarts, attempted logins to Cloudera Navigator are redirected to the identity provider's login page. Authentication cannot succeed until the IDP is configured for Cloudera Navigator. The configuration details are specific to the IDP, but in general you must download the SAML file from your Cloudera Navigator instance and perform the other steps below.

  1. Download Cloudera Navigator's SAML metadata XML file from your Cloudera Navigator instance: 
    http://hostname:7187/saml/metadata
  2. Inspect the metadata file and ensure that any URLs contained in the file can be resolved by users’ web browsers. The IDP will redirect web browsers to these URLs at various points in the process. If the browser cannot resolve them, authentication will fail. If the URLs are incorrect, you can manually fix the XML file or set the SAML Entity Base URL property in the Navigator Metadata Server configuration to the correct value, and then re-download the file.
  3. Provide this metadata file to your IDP using whatever mechanism your IDP provides.
  4. Ensure that the IDP has access to whatever public certificates are necessary to validate the private key that was provided by Cloudera Navigator earlier.
  5. Ensure that the IDP is configured to provide the User ID and Role using the attribute names that Cloudera Navigator was configured to expect, if relevant.
  6. Ensure the changes to the IDP configuration have taken effect (a restart may be necessary).

Testing Cloudera Navigator and the SSO Setup

  1. Return to the Cloudera Navigator home page at: http://hostname:7187/.
  2. Attempt to log in with credentials for a user that is entitled. The authentication should complete and you should see the Home page.
  3. If authentication fails, you will see an IDP provided error message. Cloudera Navigator is not involved in this part of the process, and you must ensure the IDP is working correctly to complete the authentication.
  4. If authentication succeeds but the user is not authorized to use Cloudera Navigator, they will be taken to an error page that explains the situation. If a user who should be authorized sees this error, then you will need to verify their role configuration, and ensure that it is being properly communicated to the Navigator Metadata Server, whether by attribute or external script. The Cloudera Navigator log will provide details on failures to establish a user’s role. If any errors occur during role mapping, Cloudera Navigator will assume the user is unauthorized.

Bypassing SAML SSO

The SAML-based SSO can be bypassed by accessing the Cloudera Navigator login page directly:

http://fqdn-1.example.com:7187/locallogin.html

You can turn off this bypass by setting the Skip Authorization Check property (nav.auth.skip_saml_auth_check) in the Navigator Metadata Server Advanced Configuration Snippet (Safety Valve) for cloudera-navigator.properties.

Categories: Authentication | Authorization | Configuring | Data Management | Navigator | SAML | Security | All Categories

Configuring Cloudera Navigator for LDAP
Configuring Groups for Cloudera Navigator
  • About Cloudera
  • Resources
  • Contact
  • Careers
  • Press
  • Documentation

United States: +1 888 789 1488
Outside the US: +1 650 362 0488

© 2021 Cloudera, Inc. All rights reserved. Apache Hadoop and associated open source project names are trademarks of the Apache Software Foundation. For a complete list of trademarks, click here.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required notices. A copy of the Apache License Version 2.0 can be found here.

Terms & Conditions  |  Privacy Policy

Page generated February 4, 2021.