Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Cloudera Manager: enabling kerberos security with Free IPA Server

avatar
author-rank ebomarsi
New Contributor

Created on ‎07-01-2016 07:40 AM - edited ‎09-16-2022 03:28 AM

I am trying to turn on kerberos security on my Cloudera cluster using Cloudera Manager (CM). I have an existing Kerberos KDC in my network as part of an integrated Free IPA server. I am able to create a cloudera-scm user with admin privs on the CM node, installed the keytab file, and authenticate to the CM. However, I see that when CM tries to create a principal for other Hadoop services, it fails.

I found a similar issue posted with IPA and Ambari. It seems Free IPA does not permit applications to directly access the kadmin tool. Instead the service exposes an equivalent set of ipa commands. (reference: https://www.redhat.com/archives/freeipa-users/2015-April/msg00560.html )

Looking at the CM logs, it appears to be the same issue where CM is failing on a kadmin command trying to create a prinicpal for the HDFS user. Is it possible to modify the CM kerberos interface to use the equivalent ipa commands?

6,656 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bgooley author-rank
Master Guru

Created ‎07-06-2016 08:21 AM

The Keytab Retrieval Script method can be used to integrate with IPA since there is no support for direct-to-IPA keytab management. See the following documentation for information: http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html

View solution in original post

6,763 Views
0 Kudos
1
3 REPLIES 3

avatar
author-rank michalis author-rank
Master Collaborator

Created ‎07-01-2016 09:40 AM

Within Cloudera Manage you could use the Custom Kerberos Keytab Retrieval Script, an example script is documented here http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html

 

 

6,646 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎07-06-2016 08:21 AM

The Keytab Retrieval Script method can be used to integrate with IPA since there is no support for direct-to-IPA keytab management. See the following documentation for information: http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html
6,764 Views
0 Kudos
1

avatar
author-rank ebomarsi
New Contributor

Created ‎07-19-2016 03:07 PM

The Keytab Retrieval Script method can be used to integrate with IPA since there is no support for direct-to-IPA keytab management. See the following documentation for information: http://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html
6,403 Views
0 Kudos
Announcements
What's New @ Cloudera
Product Update: Cloudera Flow Management Operator for Kubern...
What's New @ Cloudera
Product Update: Cloudera Data Flow v3.1 for Cloudera on Clou...
Community Announcements
May 2026 Community Highlights
Community Announcements
Testing the tags to new post
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
View More Announcements