Security

[anantamukhta]

install the krb5 by following guide http://blog.puneethabm.in/configure-hadoop-security-with-cloudera-manager-using-kerberos/

[anantamukhta]

1. Install Java Cryptography Extension (JCE)

download jce for java8 from this site http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip

unzip the jce jar by following command $unzip jce_policy-8.zip

copy US_export_policy.jar and local_policy.jar to the location to java lib directory sudo cp *policy.jar /usr/java/jdk1.8.0_171-amd64/jre/lib/security/

2. Install the krb5 server install same with cloudera manager server yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

install krb client at all node yum -y install krb5-workstation krb5-libs krb5-auth-dialog

Change Realm Name > SEBCLAB.COM sudo vi /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88

[realms] SEBCLA.COM = {

master_key_type = aes256-cts

acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

add belom parameter to kerberos client configuration file

udp_preference_limit = 1 default_tgs_enctypes = arcfour-hmac default_tkt_enctypes = arcfour-hmac

$ sudo vi /etc/krb5.conf

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SEBCLAB.COM default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 1 default_tgs_enctypes = arcfour-hmac default_tkt_enctypes = arcfour-hmac

[realms] EXAMPLE.COM = { kdc = ip-172-31-47-144.example.com admin_server = ip-172-31-47-144.example.com }

[domain_realm] .example.com = SEBCLAB.COM example.com = SEBCLAB.COM

Create the database using the kdb5_util utility

$ sudo /usr/sbin/kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SEBCLAB.COM', master key name 'K/M@SEBCLAB.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

$ sudo kadmin.local Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: admin kadmin.local: Unknown request "admin". Type "?" for a request list. kadmin.local: addprinc cloudera-scm@SEBCLAB.COM WARNING: no policy specified for cloudera-scm@SEBCLAB.COM; defaulting to no policy Enter password for principal "cloudera-scm@SEBCLAB.COM": Re-enter password for principal "cloudera-scm@SEBCLAB.COM": Principal "cloudera-scm@SEBCLAB.COM" created. kadmin.local: exit

sudo vi /var/kerberos/krb5kdc/kadm5.acl /admin@EXAMPLE.COM cloudera-scm@SEBCLAB.COM admilc

Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: addpol admin kadmin.local: addpol users kadmin.local: addpol hosts kadmin.local: exit

$ sudo kadmin.local Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: xst -k cmf.keytab cloudera-scm@SEBCLAB.COM Entry for principal cloudera-scm@SEBCLAB.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:cmf.keytab. Entry for principal cloudera-scm@SEBCLAB.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:cmf.keytab. kadmin.local: exit

$ sudo mv cmf.keytab /etc/cloudera-scm-server/ $ sudo chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.keytab $ chmod 600 /etc/cloudera-scm-server/cmf.keytab

$sudo vi /etc/cloudera-scm-server/cmf.principal cloudera-scm@SEBCLAB.COM

$ sudo chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.principal $ sudo chmod 600 /etc/cloudera-scm-server/cmf.principal

$ sudo systemctl start krb5kdc $ sudo systemctl start kadmin

Administration -> Settings -> Security ->Kerberos Security Realm -> SEBCLAB.COM

install all krb5 client ssh user@hostname sudo yum -y install krb5-workstation krb5-libs krb5-auth-dialog

[anantamukhta]

kinit cloudera-scm@SEBCLAB.COM kinit: Cannot find KDC for realm "SEBCLAB.COM" while getting initial credentials

[anantamukhta]

i change SEBCLAB.COM realm to internal hostname

[anantamukhta]

connect to hive database

$beeline !connect jdbc:hive2://:10000/;principal=hive/@REALM