Cloudera CDP and Kerberos - stanislawbartkowski/wikis GitHub Wiki
Cloudera on Active Directory
Prerequisities
Make necessary changes in Active Directory. More information: https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory
- Create AD container for Cloudera service accounts
- Create Active Directory user authorized to manage the container. https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory#create-container-and-administrator-account-in-active-directory
HDFS superuser
After Kerberization, it is not possible to run privileged HDFS commands: sudo -u hdfs .... The solution is to define alternative HDFS superuser group and create equivalent Kerberos account.
Assume hdfsadmin group and udfs a new HDFS superuser account.
Cloudera Console->Cluster->HDFS->Configuration->Security->Superuser Group Enter: hdfsadmin and restart all services impacted.
In Active Directory: create hdfsadmin Security Group, uhdfs user and add uhdfs user to hdfsadmin group.
From Linux shell, make sure that the change is applied. If it is not, try to invalidate sssd cache: sss_cache -U
id uhdfs
uid=1603201939(uhdfs) gid=1603200513(domain users) groups=1603200513(domain users),1603201941(hdfsadmin)
hdfs groups uhdfs
uhdfs : domain users hdfsadmin
Run a simple test.
kinit uhdfs hdfs dfs -mkdir /test hdfs dfs -rmdir /test
/etc/krb5.conf
If krb5.conf is not managed by Cloudera, make sure that /etc/krb5.conf are properly configured.
The realm section contains hostnames or IP addresses for KDC and ADMIN servers. Important: make sure that this section is not empty.
INCORRECT:
FYRE.NET = {
}
CORRECT:
FYRE.NET = {
kdc = verse1.fyre.ibm.com
admin_server = verse1.fyre.ibm.com
}
Keyring credentials cache is disabled.
# default_ccache_name = KEYRING:persistent:%{uid}
Kerberize
Collect necessary data.
Information | Sample |
---|---|
AD hostname | verse1.fyre.net |
AD realm | FYRE.NET |
AD container | OU=hadoop,DC=fyre,DC=net |
AD account managing the container | hadoopadmin |
AD account password | secret |