- Create a user in free IPA using command line or WebUI
- Suppose this user is Hadoop
- Now add this user to admin and trust user group in IPA user groups.
- Generate a Kerberos ticket for this created user, run this command at the server where Cloudera Manager is hosted or installed.
- ipa-getkeytab -s <your ipa server name> -p <hadoop@your-realm.name> -k keytabfile.keytab
- e.g.:
- ipa-getkeytab -s ipa.server.com -p hadoop@SERVER.COM -k cdh.keytab
- kinit with the the user hadoop
- kinit hadoop@SERVER.COM
- It will ask you the password; pass the password set while creating the keytab.
- It will now ask you to change the password, set a new password
- Use kdestroy to remove the hadoop user cache with old password.
- again do kinit with new password
- kinit hadoop@SERVER.COM
- Again get the keytab files using command, in order to get the latest keytab file with update password.
- ipa-getkeytab -s ipa.server.com -p hadoop@SERVER.COM -k cdh.keytab
- Copy this keytab file /etc/cloudera-scm-server directory of any path which should be accessible to Cloudera Manager.
- Once you get the cdh.keytab file change its ownership to cloudera-scm user
- chown cloudera-scm: cloudera-scm cdh.keytab
- Download the custom keytab retrieval script file from:
- https://github.com/ndunnage/hadoop-tools/blob/master/kerberos/gen_credentials_ipa.sh.
- (Credit: ndunnage) Which is tested and running fine.
- Save this script to some location which should be accessible to Cloudera Manager for example:
- /etc/cloudera-scm-server/
- Change the permission of this file
- chown cloudera-scm: cloudera-scm gen_credentials_ipa.sh
- chmod 775 gen_credentials_ipa.sh
- The parameter which you need to change in this file follows:
- IPA_SERVER=ipa.server.com
- REALM=SERVER.COM
- KEYTAB_FILE=/etc/cloudera-scm-server/cdh.keytab
- CM_PRINC=hadoop@$REALM
- There is a line near line number 39 in this script which says
- ipa service-add $PRINCIPAL
- Make change to this like add --force at the end of this line(This is use to override the restriction in freeIPA) then line will look like
- ipa service-add $PRINCIPAL --force
- Login the server freeIPA is installed/login to freeIPA for example ipa.server.com
- Start kadmin.local as
- kadmin.local -x ipa-setup-override-restrictions
- This will login as root/admin@SERVER.COM
- Add a new principle for Cloudera-manager here
- addprinc –pw <passwordforuser> cloudera-scm/admin@SERVER.COM
- e.g.:
- addprinc –pw cdhpassword Cloudera-scm/admin@SERVER.COM
- Once this principle is added successfully, go to Cloudera manager Web UI <your-clouderamanage- server:7180>
- Go to administration security/ or from the cluster dropdown menu choose enable Kerberos
- In the resulting page enter the required details, and in the page where it says KDC account manager credentials enter
- First text box Username : cloudera-scm/admin
- 2nd Text box Your REALM : SERVER.COM
- Third Box Password : passwordforuser
- Once this step successes move forward to generate other service principal which Cloudera Manager will generate automatically if this step is successful.
Wednesday, May 3, 2017
Configuring freeIPA Kerberos in Cloudera Manager : Cloudera Manager + freeIPA + Kerberos
Subscribe to:
Post Comments (Atom)
Featured Posts
Installing And Exploring Auto Dark Mode Software
Windows Auto--Night--Mode: Simplify Your Theme Switching Windows Auto--Night--Mode is a free and lightweight tool that makes switching bet...
Thank you so much for this nice information. Hope so many people will get aware of this and useful as well. And please keep update like this.
ReplyDeleteBig Data Services
Data Lake Services
Advanced Analytics Solutions
Full Stack Development Services
As the growth of Big data platform managed service , it is essential to spread knowledge in people. This meetup will work as a burst of awareness.
ReplyDelete