Cloudera CDP and Kerberos - stanislawbartkowski/wikis GitHub Wiki

Cloudera on Active Directory

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step4-kerberos-wizard.html

Prerequisities

Make necessary changes in Active Directory. More information: https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory

Create AD container for Cloudera service accounts
Create Active Directory user authorized to manage the container. https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory#create-container-and-administrator-account-in-active-directory

HDFS superuser

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step5-create-hdfs-superuser.html

After Kerberization, it is not possible to run privileged HDFS commands: sudo -u hdfs .... The solution is to define alternative HDFS superuser group and create equivalent Kerberos account.

Assume hdfsadmin group and udfs a new HDFS superuser account.

Cloudera Console->Cluster->HDFS->Configuration->Security->Superuser Group Enter: hdfsadmin and restart all services impacted.

In Active Directory: create hdfsadmin Security Group, uhdfs user and add uhdfs user to hdfsadmin group.

From Linux shell, make sure that the change is applied. If it is not, try to invalidate sssd cache: sss_cache -U

id uhdfs

uid=1603201939(uhdfs) gid=1603200513(domain users) groups=1603200513(domain users),1603201941(hdfsadmin)

hdfs groups uhdfs

uhdfs : domain users hdfsadmin

Run a simple test.

kinit uhdfs hdfs dfs -mkdir /test hdfs dfs -rmdir /test

/etc/krb5.conf

If krb5.conf is not managed by Cloudera, make sure that /etc/krb5.conf are properly configured.

The realm section contains hostnames or IP addresses for KDC and ADMIN servers. Important: make sure that this section is not empty.

INCORRECT:

FYRE.NET = {
 }

CORRECT:

FYRE.NET = {
        kdc = verse1.fyre.ibm.com
        admin_server = verse1.fyre.ibm.com
 }

Keyring credentials cache is disabled.

# default_ccache_name = KEYRING:persistent:%{uid}

Kerberize

Collect necessary data.

Information	Sample
AD hostname	verse1.fyre.net
AD realm	FYRE.NET
AD container	OU=hadoop,DC=fyre,DC=net
AD account managing the container	hadoopadmin
AD account password	secret

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step4-kerberos-wizard.html