Support Questions

Find answers, ask questions, and share your expertise

Enabling TLS/SSL and Kerberos for a single-user Cloudera Manager setup

avatar

Hi,

 

I am setting up TLS/SSL and Kerberos on a single-user setup of Cloudera Manager. The cloudera Manager version used is 5.12 and the underlying CDH parcel is 5.11. 

 

Kerberors setup is done using MIT KDC and TLS/SSL is configured upto Level 1. After doing this, when I restart CM, Agents and HDFS I see that the HDFS doesn't restart. The error is as below: 

 

5:49:39.498 PMFATALDataNode
Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
	at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1333)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1233)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:464)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2545)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2432)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2479)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2661)
	at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2685)

 

After searching for a probable solution on Google, I stumbled upon a link that asks to do additional configuration for single-user seutps. The section '

Configuration for Secure Clusters' talks about the additional 4 steps to be performed. 

https://www.cloudera.com/documentation/enterprise/5-11-x/topics/install_singleuser_reqts.html

 

I have performed the steps of HDFS with TLS but not sure what to do for the remaining two : 

  • Do not configure the DataNode Transceiver port and HTTP Web UI port to use privileged ports.
  • Configure DataNode data transfer protection.

 

Please suggest what is the expectation for these 2 steps in single-user mode.

 

Thanks

 

1 ACCEPTED SOLUTION

avatar

Thanks for the reply. HDFS started in green after making the below changes.

 

DataNode HTTP Web UI Port - 50075

Secure DataNode Web UI Port (TLS/SSL) - 50475

DataNode Transceiver Port - 50010

 

DataNode Data Transfer Protection - Authentication

 

 

View solution in original post

2 REPLIES 2

avatar
Master Guru

@PrashantAgrawal,

 

You need to either have your DataNode HTTP Web UI Port and DataNode Transceiver Port set to privileged ports or you need to do that or configure TLS to protect the HDFS connections.

If you configured Kerberos via Cloudera Manager, the wizard would have made the port changes for you. 

avatar

Thanks for the reply. HDFS started in green after making the below changes.

 

DataNode HTTP Web UI Port - 50075

Secure DataNode Web UI Port (TLS/SSL) - 50475

DataNode Transceiver Port - 50010

 

DataNode Data Transfer Protection - Authentication