Zoomdata Version

Connecting to a Kerberized CDH Cluster

A secure CDH Cluster uses Kerberos authentication to validate and confirm access requests. You can set up Zoomdata to connect to the secure CDH Cluster using the instructions provided below for Cloudera Search and Impala. Before establishing a connection to either type of cluster, review the prerequisites and be sure to obtain your Kerberos credentials.

Prerequisites

  • Kerberos authentication requires precise time correspondence on all instances to work properly. You need to enable the Network Time Protocol service in your network. For more information, access the article Using the Network Time Protocol to Synchronize Time .

Obtaining Kerberos Credentials

Each service must have its own unique identifier called a principal. Perform the following steps:

  1. Install the Kerberos client on the machine where Zoomdata Server/Impala connector is installed.
  2. Generate Kerberos principal and corresponding keytab for Zoomdata service. Before you proceed, make sure that:

  • Zoomdata or a Connector is running on a node with proper Kerberos configuration: /etc/krb5.conf or similar location for your Linux distribution.
  • The Kerberos realm on your environment is the same as the realm specified in the kdc.conf file from Impala server.

3. Check the Kerberos configuration (that is, krb5.conf ) and validity of the principal and keytab pair using MIT Kerberos client:

     kinit -V -k -t
       zoomdata_principal
      .keytab
       [email protected]

4. Make the keytab accessible for the Zoomdata Server or a connector:

sudo mkdir /etc/zooomdata
sudo mv zoomdata_principal.keytab /etc/zoomdata
sudo chown zoomdata:zoomdata /etc/zoomdata/zoomdata_principal.keytab
sudo chmod 600 /etc/zoomdata/zoomdata_principal.keytab

Configuring an Impala Connector

  1. Create or update the file named /etc/zoomdata/edc-impala.properties . If this file already exists, verify that the information below exists in the file:
kerberos.krb5.conf.location=/etc/krb5.conf
kerberos.service.account.authentication=true
kerberos.service.account.principal=[email protected]
kerberos.service.account.keytab.location=/etc/zoomdata/zoomdata_principal.keytab

2. Restart the Impala connector:

    sudo systemctl restart zoomdata-edc-impala

Configuring a Cloudera Search Connector

  1. Create or update the file named /etc/zoomdata/edc-cloudera-search.properties . If this file already exists, verify that the information below exists in the file:
  2. kerberos.krb5.conf.location=/etc/krb5.conf
    kerberos.service.account.authentication=true
    kerberos.service.account.principal=[email protected]
    kerberos.service.account.keytab.location=/etc/zoomdata/zoomdata_principal.keytab
  3. Restart the Cloudera Search service:
sudo systemctl restart zoomdata-edc-cloudera-search

Connecting to a Kerberized Data Source

You are now ready to create the Cloudera Search/Impala source:

  1. Open a new browser window and log into Zoomdata.
  2. Select Sources.
  3. Select Cloudera Search or Impala.
  4. Specify the name of your source and add a description (if desired). Select Next .
  5. On the Connection page, define the connection source. You can use an existing connection, if available, or create a new one. To create a new connection, select the Input New Credentials option button and specify the connection name and JDBC URL. Make  sure that you enter the JDBC URL in the correct format.
    • For Impala:
jdbc:hive2://impala_host:21050/;principal=[email protected]
  • For Cloudera Search:
cloudera.domain:2181/solr

The JDBC URL for Cloudera Search needs to be the zookepper URL of the Kerberized cluster

Replace the placeholders as follows:

  • host_name enter the IP address/host name of the Impala node you are connecting to
  • [email protected] enter the principal of the node you are connecting to. To get the list of all Impala principals, navigate to Cloudera Manager > Administration > Security > Kerberos Credentials.


  1. Select Validate . After successful validation, the values are saved. Select Next .
If you run into connection issues, verify that the Zoomdata Server was restarted successfully. Access the troubleshooting article Verifying that the Zoomdata Server Restarts Properly for assistance.

You can continue configuring the data source as needed.

After you have completed the configuration, Zoomdata begins accessing the data source using [email protected] authenticated by its keytab in /etc/zoomdata/zoomdata_principal.keytab .

Using TLS ENCRYPTION along with KERBEROS authentication

See Using TLS encryption along with Kerberos Authentication  for more details.

Was this topic helpful?