Cloudera CDP and Kerberos - stanislawbartkowski/wikis GitHub Wiki

Cloudera on Active Directory

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step4-kerberos-wizard.html

Prerequisities

Make necessary changes in Active Directory. More information: https://github.com/stanislawbartkowski/wikis/wiki/HDP-2.6.5-3.1-and-Active-Directory

HDFS superuser

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step5-create-hdfs-superuser.html

After Kerberization, it is not possible to run privileged HDFS commands: sudo -u hdfs .... The solution is to define alternative HDFS superuser group and create equivalent Kerberos account.

Assume hdfsadmin group and udfs a new HDFS superuser account.

Cloudera Console->Cluster->HDFS->Configuration->Security->Superuser Group Enter: hdfsadmin and restart all services impacted.

In Active Directory: create hdfsadmin Security Group, uhdfs user and add uhdfs user to hdfsadmin group.

From Linux shell, make sure that the change is applied. If it is not, try to invalidate sssd cache: sss_cache -U

id uhdfs

uid=1603201939(uhdfs) gid=1603200513(domain users) groups=1603200513(domain users),1603201941(hdfsadmin)

hdfs groups uhdfs

uhdfs : domain users hdfsadmin

Run a simple test.

kinit uhdfs hdfs dfs -mkdir /test hdfs dfs -rmdir /test

/etc/krb5.conf

If krb5.conf is not managed by Cloudera, make sure that /etc/krb5.conf are properly configured.

The realm section contains hostnames or IP addresses for KDC and ADMIN servers. Important: make sure that this section is not empty.

INCORRECT:

FYRE.NET = {
 }

CORRECT:

FYRE.NET = {
        kdc = verse1.fyre.ibm.com
        admin_server = verse1.fyre.ibm.com
 }

Keyring credentials cache is disabled.

# default_ccache_name = KEYRING:persistent:%{uid}

Kerberize

Collect necessary data.

Information Sample
AD hostname verse1.fyre.net
AD realm FYRE.NET
AD container OU=hadoop,DC=fyre,DC=net
AD account managing the container hadoopadmin
AD account password secret

https://docs.cloudera.com/cdp-private-cloud-base/7.1.3/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step4-kerberos-wizard.html