Step-by-Step Guide to Integrating Kerberos Authentication with the Cloudera Platform
This article provides a comprehensive tutorial on Kerberos fundamentals, its authentication workflow, and detailed procedures for installing, configuring, and enabling Kerberos security on a Cloudera (Hadoop) cluster running on CentOS, including code snippets, configuration files, and post‑deployment testing steps.
Kerberos Overview
Kerberos prevents unauthorized access to HDFS by requiring encrypted tickets for authentication, protecting against credential leakage, man‑in‑the‑middle attacks, and replay attacks. It works similarly to Windows security tokens, using encrypted tickets and session keys to ensure confidentiality and integrity of communication.
Kerberos Terminology
Kerberos Authentication Process
The user or service sends a KRB_AS_REQ to the Authentication Server (AS), which returns a Ticket‑Granting Ticket ( KRB_AS_REP ) encrypted with the principal's key. The client decrypts the TGT, then requests a service ticket ( KRB_TGS_REQ / KRB_TGS_REP ) from the Ticket‑Granting Server (TGS). With the service ticket, the client can access the target server using KRB_AP_REQ / KRB_AP_REP . The TGT is stored in a file named krb5cc_<em>uid</em> under /tmp (e.g., /tmp/krb5cc_0 for root).
Figure: Kerberos authentication flow.
Cloudera Platform Integration with Kerberos
Cloudera offers a streamlined, largely automated method to integrate Kerberos.
System: CentOS 7.2
Operating user: admin
Role distribution:
Role
Node
Machine Type
KDC, AS, TGS
192.168.1.1
VM
Kerberos Agent
192.168.1.[2-17]
VM, Master, Slave
Assume the list_krb_clients file contains the following IPs:
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7
192.168.1.8
192.168.1.9
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.15
192.168.1.16
192.168.1.17JDK Installation
Installation steps are omitted for brevity.
Kerberos Installation
Install the server on 192.168.1.1:
sudo yum install krb5-server openldap-clients -yInstall the client on 192.168.1.[2-17]:
sudo pssh -h list_krb_clients -P -l admin -A "sudo yum install krb5-devel krb5-workstation -y"Configuration Modification
Edit /etc/krb5.conf (replace DOMAIN.COM with your domain):
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN.COM = {
kdc = 192.168.1.1
admin_server = 192.168.1.1
}
[domain_realm]
.domain.com = DOMAIN.COM
DOMAIN.COM = DOMAIN.COMDistribute krb5.conf to all clients:
pscp -h list_krb_clients krb5.conf /tmp
pssh -h list_krb_clients "sudo cp /tmp/krb5.conf /etc"Modify the KDC configuration file /var/kerberos/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
DOMAIN.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
max_life = 25h
max_renewable_life = 8d
}Update the ACL file /var/kerberos/krb5kdc/kadm5.acl to allow the admin user: */[email protected] * Install Java Cryptography Extension (JCE) on both server and clients to support aes256-cts:
sudo wget http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
sudo unzip jce_policy-8.zip
sudo mv UnlimitedJCEPolicyJDK8/*.jar $JAVA_HOME/jre/lib/security
pscp -h list_krb_clients $JAVA_HOME/jre/lib/security/US_export_policy.jar /tmp
pscp -h list_krb_clients $JAVA_HOME/jre/lib/security/local_policy.jar /tmp
pssh -h list -l admin -A "sudo cp /tmp/US_export_policy.jar $JAVA_HOME/jre/lib/security/"
pssh -h list -l admin -A "sudo cp /tmp/local_policy.jar $JAVA_HOME/jre/lib/security/"Create Kerberos Database
Initialize the database on 192.168.1.1 (default path /var/kerberos/krb5kdc):
sudo kdb5_util create -r DOMAIN.COM -sStart Kerberos Services
# Start services
sudo /bin/systemctl start krb5kdc
sudo /bin/systemctl start kadmin
# Enable on boot
sudo /bin/systemctl enable krb5kdc
sudo /bin/systemctl enable kadminCreate Kerberos Administrator Principal
# Set password twice
kadmin.local -q "addprinc cdh-master/admin"The principal name ends with admin, granting administrative privileges as defined in the ACL.
Cloudera Integration Steps
Before proceeding, ensure:
KDC is installed and running.
KDC allows renewable tickets with non‑zero lifetime (verify max_life and max_renewable_life in kdc.conf match client ticket_lifetime and renew_lifetime).
OpenLDAP clients are installed on the Cloudera Manager server.
A super‑admin principal for Cloudera Manager has been created.
Then in Cloudera Manager:
Navigate to the cluster and click Enable Kerberos .
Continue and configure Kerberos Encryption Types to match those supported by the KDC (e.g., aes256-cts).
Do NOT select “Manage krb5.conf through Cloudera Manager” to avoid overwriting the ACL.
Enter the Cloudera Manager principal (e.g., cdh‑master/[email protected]).
Provide KDC Account Manager credentials.
Finish the wizard, which restarts the cluster and enables Kerberos.
Cloudera Manager will automatically:
Create a principal for each node and service.
Generate and distribute keytab files.
Inject Kerberos configuration into service files (including jaas.conf for Zookeeper).
Service‑Specific Configuration
Enable HTTP Web‑Console authentication for HDFS and YARN:
Enable Kerberos Authentication for HTTP Web-Consoles = trueEnable Thrift authentication for HBase:
HBase Thrift Authentication = authTesting the Deployment
Basic Functionality Test
Create a principal on the KDC ( 192.168.1.1):
kadmin.local -q "addprinc <user_name>/[email protected]"Create the same principal on a client ( 192.168.1.2):
kinit cdh-master/[email protected]
kadmin -q "addprinc <user_name>/[email protected]"Destroy any existing tickets: kdestroy Obtain a new ticket and verify:
kinit <user_name>/[email protected]
klist -fHive Test
kadmin -q "addprinc hive/[email protected]"
kinit hive/[email protected]
CREATE DATABASE test;
USE test;
CREATE TABLE t(id int);
DROP TABLE t;
DROP DATABASE test;Beeline/JDBC test:
beeline --verbose=true
!connect jdbc:hive2://${HIVE_SERVER2_HOSTNAME}:10000/default;principal=hive/${HIVE_SERVER2_HOSTNAME}@DOMAIN.COMHBase on HUE Test
kdestroy
kinit cdh-master/admin
kadmin > addprinc hbase/[email protected]
kinit hbase/[email protected]
hbase shell
grant 'hue','RWXCA'Sqoop on HUE Test
sqoop list-databases --connect jdbc:mysql://${MYSQL_SERVER_FQDN}:3306 --username ${MYSQL_USERNAME} --password ${MYSQL_PASSWD}
sqoop import --connect jdbc:mysql://${MYSQL_SERVER_FQDN}:3306/cm --username ${MYSQL_USERNAME} --password ${MYSQL_PASSWD} --table HOSTS --target-dir /user/admin/tgt -m 1 --delete-target-dirCommon Issues and Fixes
Ticket renewer reports "Ticket expired while renewing credentials" : The krbtgt/[email protected] principal has renewlife set to 0. Change it to 7d with:
modprinc -maxrenewlife 1week krbtgt/[email protected]Spark job fails with "Delegation Token can be issued only with kerberos or web authentication" : Submit the Spark job with spark master = yarn and mode = cluster.
Beeline error "Failed to find any Kerberos tgt" : Do not obtain tickets using sudo; acquire tickets as the regular user before launching Beeline.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Big Data Technology & Architecture
Wang Zhiwu, a big data expert, dedicated to sharing big data technology.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.