Cloudera Security

Download Cloudera Security

Post on 02-Jan-2017

279 views

Category:

Documents

33 download

Embed Size (px)

TRANSCRIPT

  • Cloudera Security

  • Important Notice 2010-2018 Cloudera, Inc. All rights reserved.

    Cloudera, the Cloudera logo, and any other product or service names or slogans containedin this document are trademarks of Cloudera and its suppliers or licensors, and may notbe copied, imitated or used, in whole or in part, without the prior written permissionof Cloudera or the applicable trademark holder.

    Hadoop and the Hadoop elephant logo are trademarks of the Apache SoftwareFoundation. All other trademarks, registered trademarks, product names and companynames or logosmentioned in this document are the property of their respective owners.Reference to any products, services, processes or other information, by trade name,trademark, manufacturer, supplier or otherwise does not constitute or implyendorsement, sponsorship or recommendation thereof by us.

    Complying with all applicable copyright laws is the responsibility of the user. Withoutlimiting the rights under copyright, no part of this documentmay be reproduced, storedin or introduced into a retrieval system, or transmitted in any form or by any means(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,without the express written permission of Cloudera.

    Cloudera may have patents, patent applications, trademarks, copyrights, or otherintellectual property rights covering subjectmatter in this document. Except as expresslyprovided in anywritten license agreement fromCloudera, the furnishing of this documentdoes not give you any license to these patents, trademarks copyrights, or otherintellectual property. For information about patents covering Cloudera products, seehttp://tiny.cloudera.com/patents.

    The information in this document is subject to change without notice. Cloudera shallnot be liable for any damages resulting from technical errors or omissions which maybe present in this document, or from use of this document.

    Cloudera, Inc.395 Page Mill RoadPalo Alto, CA 94306info@cloudera.comUS: 1-888-789-1488Intl: 1-650-362-0488www.cloudera.com

    Release Information

    Version: Cloudera Enterprise 5.4.xDate: February 6, 2018

  • Table of Contents

    About this Guide......................................................................................................8

    Authentication.........................................................................................................9Configuring Authentication in Cloudera Manager...............................................................................................9Cloudera Manager User Accounts.......................................................................................................................................10

    Configuring External Authentication for Cloudera Manager...............................................................................................11

    Kerberos Concepts - Principals, Keytabs and Delegation Tokens.........................................................................................17

    Enabling Kerberos Authentication Using the Wizard...........................................................................................................19

    Enabling Kerberos Authentication for Single User Mode or Non-Default Users..................................................................28

    Configuring a Cluster with Custom Kerberos Principals.......................................................................................................29

    Viewing and Regenerating Kerberos Principals...................................................................................................................31

    Mapping Kerberos Principals to Short Names.....................................................................................................................32

    Using Auth-to-Local Rules to Isolate Cluster Users..............................................................................................................32

    Configuring Kerberos for Flume Thrift Source and Sink.......................................................................................................33

    Configuring YARN for Long-running Applications................................................................................................................34

    Enabling Kerberos Authentication Without the Wizard.......................................................................................................35

    Configuring Authentication in the Cloudera Navigator Data Management Component...................................46Configuring External Authentication for the Cloudera Navigator Data Management Component.....................................46

    Managing Users and Groups for the Cloudera Navigator Data Management Component.................................................51

    Configuring Authentication in CDH Using the Command Line...........................................................................52Enabling Kerberos Authentication for Hadoop Using the Command Line...........................................................................53

    Flume Authentication..........................................................................................................................................................75

    HBase Authentication..........................................................................................................................................................78

    HCatalog Authentication.....................................................................................................................................................85

    Hive Authentication.............................................................................................................................................................86

    HttpFS Authentication..........................................................................................................................................................93

    Hue Authentication..............................................................................................................................................................95

    Impala Authentication.......................................................................................................................................................106

    Llama Authentication........................................................................................................................................................112

    Oozie Authentication.........................................................................................................................................................113

    Search Authentication........................................................................................................................................................115

    Spark Authentication.........................................................................................................................................................118

    Sqoop 2 Authentication.....................................................................................................................................................119

    ZooKeeper Authentication.................................................................................................................................................119

    FUSE Kerberos Configuration.............................................................................................................................................122

    Using kadmin to Create Kerberos Keytab Files...................................................................................................................122

    Configuring the Mapping from Kerberos Principals to Short Names.................................................................................123

  • Enabling Debugging Output for the Sun Kerberos Classes.................................................................................................126

    Configuring a Cluster-dedicated MIT KDC with Cross-Realm Trust..................................................................126When to use kadmin.local and kadmin..............................................................................................................................126

    Setting up a Cluster-Dedicated KDC and Default Realm for the Hadoop Cluster...............................................................127

    Integrating Hadoop Security with Active Directory..........................................................................................131Configuring a Local MIT Kerberos Realm to Trust Active Directory....................................................................................132

    Integrating Hadoop Security with Alternate Authentication............................................................................134Configuring the AuthenticationFilter to use Kerberos........................................................................................................134

    Creating an AltKerberosAuthenticationHandler Subclass..................................................................................................134

    Enabling Your AltKerberosAuthenticationHandler Subclass...............................................................................................134

    Example Implementation for Oozie....................................................................................................................................136

    Hadoop Users in Cloudera Manager and CDH.................................................................................................136

    Au