Wednesday, May 3, 2017

Configuring freeIPA Kerberos in Cloudera Manager : Cloudera Manager + freeIPA + Kerberos

  1. Create a user in free IPA using command line or WebUI
    • Suppose this user is Hadoop
  2. Now add this user to admin and trust user group in IPA user groups.
  3. Generate a Kerberos ticket for this created user, run this command at the server where Cloudera Manager is hosted or installed.
    • ipa-getkeytab -s <your ipa server name> -p <hadoop@your-realm.name> -k keytabfile.keytab 
    • e.g.:
      • ipa-getkeytab -s ipa.server.com -p hadoop@SERVER.COM -k cdh.keytab
    • kinit with the the user hadoop
      • kinit hadoop@SERVER.COM
      • It will ask you the password; pass the password set while creating the keytab.
      • It will now ask you to change the password, set a new password
      • Use kdestroy to remove the hadoop user cache with old password.
      • again do kinit with new password
      • kinit hadoop@SERVER.COM
      • Again get the keytab files using command, in order to get the latest keytab file with update password.
      • ipa-getkeytab -s ipa.server.com -p hadoop@SERVER.COM -k cdh.keytab
  4. Copy this keytab file /etc/cloudera-scm-server directory of any path which should be accessible to Cloudera Manager.
  5. Once you get the cdh.keytab file change its ownership to cloudera-scm user
    • chown cloudera-scm: cloudera-scm cdh.keytab
  6. Download the custom keytab retrieval script file from: 
  7. Save this script to some location which should be accessible to Cloudera Manager for example:
  8. The parameter which you need to change in this file follows:
    • IPA_SERVER=ipa.server.com
    • REALM=SERVER.COM
    • KEYTAB_FILE=/etc/cloudera-scm-server/cdh.keytab
    • CM_PRINC=hadoop@$REALM
    • There is a line near line number 39 in this script which says
      • ipa service-add $PRINCIPAL
    • Make change to this like add --force at the end of this line(This is use to override the restriction in freeIPA) then line will look like
      • ipa service-add $PRINCIPAL  --force
  9. Login the server freeIPA is installed/login to freeIPA for example ipa.server.com
      • Start kadmin.local as
      •  kadmin.local -x ipa-setup-override-restrictions
      •  This will login as root/admin@SERVER.COM
  10.  Add a new principle for Cloudera-manager here
      •  addprinc –pw <passwordforuser> cloudera-scm/admin@SERVER.COM
      • e.g.:
      • addprinc –pw cdhpassword Cloudera-scm/admin@SERVER.COM
  11. Once this principle is added successfully, go to Cloudera manager Web UI <your-clouderamanage- server:7180>
  12.  Go to administration security/ or from the cluster dropdown menu choose enable Kerberos
  13. In the resulting page enter the required details, and in the page where it says KDC account manager credentials enter
      • First text box Username : cloudera-scm/admin
      •  2nd Text box Your REALM : SERVER.COM
      • Third Box Password : passwordforuser
  14.  Once this step successes move forward to generate other service principal which Cloudera Manager will generate automatically if this step is successful.


Hope this will help.


2 comments:

  1. Thank you so much for this nice information. Hope so many people will get aware of this and useful as well. And please keep update like this.

    Big Data Services

    Data Lake Services

    Advanced Analytics Solutions

    Full Stack Development Services

    ReplyDelete
  2. As the growth of Big data platform managed service , it is essential to spread knowledge in people. This meetup will work as a burst of awareness.

    ReplyDelete

Thank you for Commenting Will reply soon ......

Featured Posts

#Linux Commands Unveiled: #date, #uname, #hostname, #hostid, #arch, #nproc

 #Linux Commands Unveiled: #date, #uname, #hostname, #hostid, #arch, #nproc Linux is an open-source operating system that is loved by millio...