Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Adding Active Directory Users on Hadoop Cluster with Kerberos Enabled

Labels:
asmarz
Explorer

Created on ‎02-06-2020 08:58 AM - last edited on ‎02-06-2020 01:07 PM by Moderator

Dear Community,

 

Actually, I have Hadoop Hortonworks Cluster with Kerberos enabled.

Users to access are in AD repository.

I can add some users and test that users could submit their jobs successfully.

 

But the issue here that I have to add every user on all nodes and also register every user keytab on all nodes.

This is ok for 1 or 2 users but not for 50 or 100 😞

I am creating keytab using kutil , so i have to ask every user to tape his  password!!

Is there any other tip to do this?

How can I register keytabs for a domain not per user?

Should I do it per user?

Any idea will be appreciated.

 

thanks

Asma

1,244 Views
0 Kudos
3 REPLIES 3

GangWar
Guru

Created ‎02-06-2020 10:05 AM

@asmarz You don't have to create every user manually. This can be taken care by Ambari itself. Our doc says:

When you enable Kerberos, if you choose to use an Existing MIT KDC or Existing Active Directory, the Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account credentials, and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC. This is the Kerberos Automated Setup option.

 

Please follow below doc for this:

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_managing_admin_credential...

 

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_use_an_existing_active_di...


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,232 Views
0 Kudos

asmarz
Explorer

Created ‎02-06-2020 12:38 PM

Thank you for your reply 

 

I have configured first only ambari server and edge node with active directory (samba) then I have enabled kerberos i got a lot of principles generated on the Hadoop but for spark , yarn ... 

Users from AD could not connect and execute their jobs 

Then I configured others nodes name nodes and Dara nodes with Active directory and I added users manually and then they were able to use the cluster

So I don’t understand why I did not get the automatically thing for AD users  ? Should I regenerate keytabs  from the ambari server ? 
It is really a blocking issue for me ..

thanks a lot in advance 

1,218 Views
0 Kudos

asmarz
Explorer

Created ‎02-06-2020 12:57 PM

In the second link that you have attached there is a link to centrifugal and it is about adding ticket for users , example we user .. it should be done manually for each user .. 

 

 

1,211 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements