Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos authentication in Cloudera/Hadoop

Labels:
GlenC
New Contributor

Created on ‎11-22-2019 08:09 AM - last edited on ‎11-22-2019 09:37 AM by Community Manager Community Manager

Hello all.

    First I'd like to say I'm not a Hadoop admin but an SA, so I have little to no experience with Hadoop except for maintaining the OS the software lives on. The question I have is in regards to kerberos authentication and how to set it up properly so it works. The previous installer of Cloudera integrated the kerberos keytab for the service account into the main system keytab. And now that we have switched vendors for AD integration for our Linux services we've run into issues with the authentication as the vendor defaults to maintain the system keytab. We have been told by the AD integration vendor the Hadoop service account keytab should be in it's own separate keytab file so when the AD password for the computer account changes it won't effect Hadoop.

 

Our Hadoop admins prefer to use the system keytab as the code used within the Hadoop jobs reference the system keytab. So changing how it's done is apparently a big task. Since I'm not well versed in Hadoop I don't know what to look for in the documentation to point them to say "This is how it's done". And I don't have access to support so I'm doing a round about way to get the proper information.

 

Would someone be so kind as to provide guidance as to where I can find the documentation to show them how it should be done? Or educate me that they are doing it correctly?

 

Thank you.

 

GlenC

 

519 Views
0 Kudos
1 REPLY 1

iamfromsky
Expert Contributor

Created ‎11-22-2019 08:56 AM

AD/LDAP integration can be shared with hive, impala, hue, then anyone just has account in AD/LDAP, they can login hive, impala,hue.

 

kerberos is for Hadoop security , no any connection to AD/LDAP integration. hive/impala can auth with user/password and kerberos, basically we use user/password. but for program like base, spark, map reduce must auth with kerberos. 

 

so anyone who want run program on yarn or any other like hbase etc.. should have keytab.

what I meant is AD/LDAP won't effect kerberos user .

 

the below is the basic guide for you:

1. install MIT kerberos server.

2. open kerberos auth on hadoop

3. integrate Hadoop with AD/LDAP(basically for hue, hive, impala)

anyone who want use Hadoop must have account on os layer. for example, one developer tell you he want to use Hadoop, you have some work to do:

1) add account in AD/LDAP

2) create os user in every node manager  node. otherwise it will show errors like can't find xxx user when run yarn program

3) create kerberos keytab for the user if these guy want to use yarn, hbase, spark etc..

4) send kerberos krb5.conf to user

that's done.

 

hope you can understand .

 

511 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] CDP Private Cloud Data Services 1.5.0 Released
Community Announcements
January 2023 Community Highlights
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.30 for Impala is Released
What's New @ Cloudera
Cloudera Operational Database (COD) provides a CLI option to enable HBase region canaries
What's New @ Cloudera
Cloudera Operational Database (COD) supports creating an operational database using a predefined Data Lake template
View More Announcements