Reply
Highlighted
New Contributor
Posts: 3
Registered: ‎01-05-2018
Accepted Solution

Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

Hi,

 

I am setting up TLS/SSL and Kerberos on a single-user setup of Cloudera Manager. The cloudera Manager version used is 5.12 and the underlying CDH parcel is 5.11. 

 

Kerberors setup is done using MIT KDC and TLS/SSL is configured upto Level 1. After doing this, when I restart CM, Agents and HDFS I see that the HDFS doesn't restart. The error is as below: 

 

5:49:39.498 PMFATALDataNode
Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
	at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1333)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1233)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:464)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2545)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2432)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2479)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2661)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2685)

 

After searching for a probable solution on Google, I stumbled upon a link that asks to do additional configuration for single-user seutps. The section '

Configuration for Secure Clusters' talks about the additional 4 steps to be performed. 

https://www.cloudera.com/documentation/enterprise/5-11-x/topics/install_singleuser_reqts.html

 

I have performed the steps of HDFS with TLS but not sure what to do for the remaining two : 

  • Do not configure the DataNode Transceiver port and HTTP Web UI port to use privileged ports.
  • Configure DataNode data transfer protection.

 

Please suggest what is the expectation for these 2 steps in single-user mode.

 

Thanks

 

Posts: 749
Topics: 1
Kudos: 175
Solutions: 95
Registered: ‎04-22-2014

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

@PrashantAgrawal,

 

You need to either have your DataNode HTTP Web UI Port and DataNode Transceiver Port set to privileged ports or you need to do that or configure TLS to protect the HDFS connections.

If you configured Kerberos via Cloudera Manager, the wizard would have made the port changes for you. 

New Contributor
Posts: 3
Registered: ‎01-05-2018

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

Thanks for the reply. HDFS started in green after making the below changes.

 

DataNode HTTP Web UI Port - 50075

Secure DataNode Web UI Port (TLS/SSL) - 50475

DataNode Transceiver Port - 50010

 

DataNode Data Transfer Protection - Authentication

 

 

Announcements