Configuring Kerberos for Flume Thrift Source and Sink Using Cloudera Manager
The Thrift source can be configured to start in secure mode by enabling Kerberos authentication. To communicate with a secure Thrift source, the Thrift sink should also be operating in secure mode.
- Open the Cloudera Manager Admin Console and go to the Flume service.
- Click the Configuration tab.
- Select .
- Select .
- Edit the Configuration File property and add the Thrift source and sink properties listed in the tables below to the configuration file.
Table 1. Thrift Source Properties Property Description kerberos Set to true to enable Kerberos authentication. The agent-principal and agent-keytab properties are required for successful authentication. The Thrift source in secure mode, will accept connections only from Thrift sinks that have Kerberos-enabled and are successfully authenticated to the KDC. agent-principal The Kerberos principal used by the Thrift Source to authenticate to the KDC. agent-keytab The path to the keytab file used by the Thrift Source in combination with the agent-principal to authenticate to the KDC. Table 2. Thrift Sink Properties Property Description kerberos Set to true to enable Kerberos authentication. In Kerberos mode, client-principal, client-keytab and server-principal are required for successful authentication and communication to a Kerberos enabled Thrift Source. client-principal The principal used by the Thrift Sink to authenticate to the Kerberos KDC. client-keytab The path to the keytab file used by the Thrift Sink in combination with the client-principal to authenticate to the KDC. server-principal The principal of the Thrift Source to which this Thrift Sink connects. Note: Since Cloudera Manager generates the Flume keytab files for you, and the locations of the keytab files cannot be known beforehand, substitution variables are required for Flume. Cloudera Manager provides two Flume substitution variables called $KERBEROS_PRINCIPAL and $KERBEROS_KEYTAB to configure the principal name and the keytab file path respectively on each host.Make sure you are configuring these properties for each Thrift source and sink instance managed by Cloudera Manager. For example, for agent a1, source r1, and sink k1, you would add the following properties:
# Kerberos properties for Thrift source s1 a1.sources.r1.kerberos=true a1.sources.r1.agent-principal=<source_principal> a1.sources.r1.agent-keytab=<path/to/source/keytab> # Kerberos properties for Thrift sink k1 a1.sinks.k1.kerberos=true a1.sinks.k1.client-principal=<sink_principal> a1.sinks.k1.client-keytab=<path/to/sink/keytab> a1.sinks.k1.server-principal=<path/to/source/keytab>
- Click Save Changes to commit the changes.
- Restart the Flume service.
Page generated May 18, 2018.
<< Configuring Kerberos for Flume Sinks | ©2016 Cloudera, Inc. All rights reserved | Configuring Kerberos for Flume Thrift Source and Sink Using the Command Line >> |
Terms and Conditions Privacy Policy |