Step 9: Enable Hadoop Security

To enable Hadoop security for the cluster, you enable it on an HDFS service. After you do so, the Cloudera Manager Server automatically enables Hadoop security on the MapReduce and HBase services associated with that HDFS service.

To enable Hadoop security:

  1. Navigate to the HDFS Service > Configuration tab.
  2. Scroll down or search until you see the Hadoop Secure Authentication property.
  3. Click the value for the Hadoop Secure Authentication property and select the kerberos option to enable Hadoop security on the selected HDFS service.
  4. Click the value for the Hadoop Secure Authorization property and select the checkbox to enable Kerberos authorization on the selected HDFS service.
  5. Scroll down until you see the Datanode Transceiver Port property.
  6. Click the value for the Datanode Transceiver Port property and specify a privileged port number (below 1024). Cloudera recommends 1004.
  7. Click the value for the Datanode HTTP Web UI Port property and specify a privileged port number (below 1024). Cloudera recommends 1006.
      Note:

    These port numbers for the two DataNode properties must be below 1024 in order to provide part of the security mechanism to make it impossible for a user to run a MapReduce task that impersonates a DataNode. The port numbers for the NameNode and Secondary NameNode can be anything you want, but the default port numbers are good ones to use

  8. For every DataNode Role Config Group, repeat steps 6 and 7 to change the Datanode Transceiver Port property and Datanode HTTP Web UI Port property.
  9. Click Save Changes to save the configuration settings.

(CDH3 only) To enable Oozie security:

  1. Navigate to the Oozie Service > Configuration tab.
  2. Scroll down until you see the Enable Kerberos authentication property.
  3. Click the value for the Enable Kerberos authentication property and select the checkbox to enable Kerberos authorization on the selected Oozie service.
  4. Click Save Changes to save the configuration settings.

(CDH4 only) To enable Zookeeper security:

  1. Navigate to the Zookeeper Service > Configuration tab.
  2. Click the Enable Zookeeper Security property and select the checkbox to enable Kerberos authorization on the selected Zookeeper service.
  3. Click Save Changes to save the configuration settings.

(CDH4 only) To enable HBase security:

  1. Navigate to the HBase Service > Configuration tab.
  2. Click the value for the HBase Secure Authentication property and select the kerberos option to enable authentication on the selected HBase service.
  3. Click the value for the HBase Secure Authorization property and select the checkbox to enable authorization on the selected HBase service.
  4. Click Save Changes to save the configuration settings.
  Note:

If you use the Cloudera Manager Admin Console to generate a client configuration file after you enable Hadoop security on your cluster, the generated configuration file will not contain the Kerberos principal and keytab file that end users need to authenticate. Users must obtain Kerberos principal and keytab file from your Kerberos administrator and then run the kinit command themselves.