Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

PrashantAgrawal — Sat, 03 Feb 2018 18:24:23 GMT

Hi,

I am setting up TLS/SSL and Kerberos on a single-user setup of Cloudera Manager. The cloudera Manager version used is 5.12 and the underlying CDH parcel is 5.11.

Kerberors setup is done using MIT KDC and TLS/SSL is configured upto Level 1. After doing this, when I restart CM, Agents and HDFS I see that the HDFS doesn't restart. The error is as below:

5:49:39.498 PM

FATAL

DataNode

Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
	at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1333)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1233)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:464)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2545)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2432)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2479)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2661)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2685)

After searching for a probable solution on Google, I stumbled upon a link that asks to do additional configuration for single-user seutps. The section '

Configuration for Secure Clusters' talks about the additional 4 steps to be performed.

https://www.cloudera.com/documentation/enterprise/5-11-x/topics/install_singleuser_reqts.html

I have performed the steps of HDFS with TLS but not sure what to do for the remaining two :

Do not configure the DataNode Transceiver port and HTTP Web UI port to use privileged ports.
Configure DataNode data transfer protection.

Please suggest what is the expectation for these 2 steps in single-user mode.

Thanks

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

bgooley — Mon, 05 Feb 2018 17:51:59 GMT

@PrashantAgrawal,

You need to either have your DataNode HTTP Web UI Port and DataNode Transceiver Port set to privileged ports or you need to do that or configure TLS to protect the HDFS connections.

If you configured Kerberos via Cloudera Manager, the wizard would have made the port changes for you.

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

PrashantAgrawal — Tue, 06 Feb 2018 01:51:15 GMT

Thanks for the reply. HDFS started in green after making the below changes.

DataNode HTTP Web UI Port - 50075

Secure DataNode Web UI Port (TLS/SSL) - 50475

DataNode Transceiver Port - 50010

DataNode Data Transfer Protection - Authentication

question Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup in Archives of Support Questions (Read Only)

Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

Re: Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup