Authentication is a process that requires users and services to prove their identity when trying to access a system resource. Organizations typically manage user identity and authentication through various time-tested technologies, including Lightweight Directory Access Protocol (LDAP) directory services and Kerberos authentication.

Cloudera clusters support integration with both of these technologies. For example, organizations with existing LDAP directory services (Microsoft Active Directory, OpenLDAP) can integrate the organization's existing user and group management instead of creating new accounts throughout the cluster. For authentication, Cloudera supports integration with MIT Kerberos and with Microsoft Active Directory. Kerberos provides so-called strong authentication, which means that cryptographic mechanisms—rather than passwords—are used to authenticate user identity.

These systems are not mutually exclusive. For example, Microsoft Active Directory is an LDAP directory service that also provides Kerberos authentication services, and Kerberos credentials can be stored and managed in an LDAP directory service. Cloudera Manager Server, CDH nodes, and Cloudera Enterprise components (including Cloudera Navigator, Apache Hive, Hue, and Impala, which support external clients) can all make use of Kerberos authentication.

  Note: Cloudera does not provide a Kerberos implementation. Whether you use the Cloudera Manager wizard or the command-line, configuring the cluster to use Kerberos (MIT Kerberos, Active Directory) or LDAP (OpenLDAP, Active Directory) requires these external systems to exist and be operational.

You must have administrator privileges on the Kerberos instance's Key Distribution Center (KDC) or the active participation of your organization's KDC administrator during the configuration process.

  Note: Integrating clusters to use Microsoft Active Directory as a KDC requires the Windows registry setting for AllowTgtSessionKey to be disabled (set to 0). If this registry key has already been enabled, users and credentials are not created when they should be, despite the "Successful" message. Before using the wizard or the manual setup, check the value of AllowTgtSessionKey on the Active Directory instance and reset to 0 if necessary. See Registry Key to Allow Session Keys to Be Sent in Kerberos Ticket-Granting-Ticket at Microsoft for details.

Continue reading:

• Configuring Authentication in Cloudera Manager
• Configuring Authentication for Cloudera Navigator Data Management
• Configuring Authentication in CDH Using the Command Line
• Configuring Authentication for Other Components
• Hadoop Users in Cloudera Manager and CDH
• Configuring a Cluster-dedicated MIT KDC with Cross-Realm Trust
• Integrating Hadoop Security with Active Directory
• Integrating Hadoop Security with Alternate Authentication
• Authenticating Kerberos Principals in Java Code