Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Where does Cloudera Manager store generated keytabs and principals for Kerberos?

avatar
New Contributor

Hello

 

I have a Clouder Manager 4.8 cluster with Kerberos enabled

 

When I configured HDFS/Hbase/Zookeeper to use Kerberos, Cloudera Manager generated all the principals and keytabs for all the services on each node

 

However, I have two unmanaged namenodes that I want to use as part of my cluster - Cloudera Manager does not know about these nodes, so it did not generate the principals and keytabs for the services on these nodes

 

I followed the steps for generating the keytabs/principals as part of the manual CDH setup, but the guide told me to move my keys tabs to /etc/hadoop/conf, but there are no other keytabs in that folder

 

So I need to know where does Cloudera Manager store its generated keytabs

 

Or am I supposed to merge the manually created keytabs with the generated keytabs somehow?

 

Thanks for any help in advance

1 ACCEPTED SOLUTION

avatar
Master Collaborator

They will be in the process directory for the component. For example:

 

hive.keytab is in: 

/var/run/cloudera-scm-agent/process/*-hive_on_tez-HIVESERVER2

 

View solution in original post

6 REPLIES 6

avatar
Master Collaborator

The keytabs are pushed from a database to a runtime location at startup of services, what you are describing as a configuration is not really viable from what I understand.

 

You will see /var/run/cloudera-scm-agent/process/  but this is ephemeral, next restart will have another locaiton.

 

You could experiment with trying to provide the manual keytabs through safety valve to the necessary services.


Todd

avatar
New Contributor

I too am having problems with keytabs when I enable Kerberos in CDH 5.1.3, I have the following in /var/run :

 

./cloudera-scm-agent/process/92-cloudera-mgmt-SERVICEMONITOR/hue.keytab

./cloudera-scm-agent/process/89-cloudera-mgmt-REPORTSMANAGER/hdfs.keytab

./cloudera-scm-agent/process/88-cloudera-mgmt-ACTIVITYMONITOR/hue.keytab

./cloudera-scm-agent/process/87-cloudera-mgmt-HOSTMONITOR/hue.keytab

 

These keytabs don't look correct.  Where does it get them from?

 

Thanks

Shailesh

avatar
Master Collaborator

Cloudera Manager passes configuration and those keytabs through the agent at startup of the CDH processes configured to run on that cluster server.

 

Those are correct keytabs to be distributed to those services.

 

The monitoring services re-use the hue keytab for their activity with cluster nodes.

 

For the HDFS keytab present that is for functionality within reports manager that requires access to hdfs information.

 

The principal names are described within the SCM management DB, as well as the merged keytabs for the roles as gathered from the credentials table.

 

Todd

avatar
New Contributor

I am getting the following error when I run the process of Enable Kerberos:

 

Command failed to run because this role has invalid configuration. Review and correct its configuration. First error: Role is missing Kerberos keytab.

The Keytabs in the /var/run directory but the 4 services fail to start due to this error.  Where is ths configuration located and what part of the Enable Kerberos process have I done incorrectly?

 

Thanks

Shailesh

 

avatar
New Contributor
export dirname=/var/run/cloudera-scm-agent/process/
sudo find $dirname -not -empty `-ls -l` | grep keytab
 

avatar
Master Collaborator

They will be in the process directory for the component. For example:

 

hive.keytab is in: 

/var/run/cloudera-scm-agent/process/*-hive_on_tez-HIVESERVER2