After enabling and configuring Hadoop security using Kerberos on your cluster, you can view and regenerate the Kerberos principals for your cluster. If you make a global configuration change in your cluster, such as changing the encryption type, you would use the Kerberos page to regenerate the principals for your cluster. In a secure cluster, the Kerberos page lists all the Kerberos principals that are active on your cluster.
Regenerating Kerberos Principals
- Regenerate principals using the following steps in the Cloudera Manager Admin Console and not directly using kadmin shell.
- Do not regenerate the principals for your cluster unless you have made a global configuration change. Before regenerating, be sure to read Step 3: Set up a Local KDC and Default Domain for the Hadoop Cluster to avoid making your existing host keytabs invalid.
To view and regenerate the Kerberos principals for your cluster:
- From the Administration tab, select Kerberos.
- The currently configured Kerberos principals are displayed. If you are running HDFS, the hdfs/hostname and host/hostname principals are listed. If you are running MapReduce, the mapred/hostname and host/hostname principals are listed. The principals for other running services are also listed.
- Only if necessary, select the principals you want to regenerate.
- Click Regenerate.
The Security Inspector
The Security Inspector uses the Host Inspector to run a security-related set of commands on the hosts in your cluster. It reports on things such as how Java is configured for encryption and on the default realms configured on each host.
To use the Security Inspector:
- Under the Administration tab, select Kerberos.
- Click Security Inspector. Cloudera Manager begins several tasks to inspect the managed hosts.
- After the inspection completes, click Download Result Data or Show Inspector Results to review the results.