question Re: Cloudera Manager: enabling kerberos security with Free IPA Server in Archives of Support Questions (Read Only)

Cloudera Manager: enabling kerberos security with Free IPA Server

ebomarsi — Fri, 16 Sep 2022 10:28:21 GMT

I am trying to turn on kerberos security on my Cloudera cluster using Cloudera Manager (CM). I have an existing Kerberos KDC in my network as part of an integrated Free IPA server. I am able to create a cloudera-scm user with admin privs on the CM node, installed the keytab file, and authenticate to the CM. However, I see that when CM tries to create a principal for other Hadoop services, it fails.

I found a similar issue posted with IPA and Ambari. It seems Free IPA does not permit applications to directly access the kadmin tool. Instead the service exposes an equivalent set of ipa commands. (reference: https://www.redhat.com/archives/freeipa-users/2015-April/msg00560.html )

Looking at the CM logs, it appears to be the same issue where CM is failing on a kadmin command trying to create a prinicpal for the HDFS user. Is it possible to modify the CM kerberos interface to use the equivalent ipa commands?

Re: Cloudera Manager: enabling kerberos security with Free IPA Server

michalis — Fri, 01 Jul 2016 16:40:21 GMT

Within Cloudera Manage you could use the Custom Kerberos Keytab Retrieval Script, an example script is documented here http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html

Re: Cloudera Manager: enabling kerberos security with Free IPA Server

bgooley — Wed, 06 Jul 2016 15:21:14 GMT

The Keytab Retrieval Script method can be used to integrate with IPA since there is no support for direct-to-IPA keytab management. See the following documentation for information: http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html

Re: Cloudera Manager: enabling kerberos security with Free IPA Server

ebomarsi — Tue, 19 Jul 2016 22:07:03 GMT