Configuration examples
The following examples demonstrate security configurations and cluster configurations for common scenarios. Amazon CLI commands are shown for brevity.
Local KDC
The following commands create a cluster with a cluster-dedicated KDC running on the primary node. Additional configuration on the cluster is required. For more information, see Configuring an Amazon EMR cluster for Kerberos-authenticated HDFS users and SSH connections.
Create Security Configuration
aws emr create-security-configuration --name
LocalKDCSecurityConfig
\ --security-configuration '{"AuthenticationConfiguration": \ {"KerberosConfiguration": {"Provider": "ClusterDedicatedKdc",\ "ClusterDedicatedKdcConfiguration": {"TicketLifetimeInHours":24
}}}}'
Create Cluster
aws emr create-cluster --release-label
emr-7.5.0
\ --instance-count 3 --instance-typem5.xlarge
\ --applications Name=Hadoop
Name=Hive
--ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=MyEC2Key
\ --service-role EMR_DefaultRole \ --security-configurationLocalKDCSecurityConfig
\ --kerberos-attributes Realm=EC2.INTERNAL
,KdcAdminPassword=MyPassword
Cluster-dedicated KDC with Active Directory cross-realm trust
The following commands create a cluster with a cluster-dedicated KDC running on the primary node with a cross-realm trust to an Active Directory domain. Additional configuration on the cluster and in Active Directory is required. For more information, see Tutorial: Configure a cross-realm trust with an Active Directory domain.
Create Security Configuration
aws emr create-security-configuration --name
LocalKDCWithADTrustSecurityConfig
\ --security-configuration '{"AuthenticationConfiguration": \ {"KerberosConfiguration": {"Provider": "ClusterDedicatedKdc", \ "ClusterDedicatedKdcConfiguration": {"TicketLifetimeInHours":24
, \ "CrossRealmTrustConfiguration": {"Realm":"AD.DOMAIN.COM
", \ "Domain":"ad.domain.com
", "AdminServer":"ad.domain.com
", \ "KdcServer":"ad.domain.com
"}}}}}'
Create Cluster
aws emr create-cluster --release-label
emr-7.5.0
\ --instance-count3
--instance-typem5.xlarge
--applications Name=Hadoop
Name=Hive
\ --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=MyEC2Key
\ --service-role EMR_DefaultRole --security-configurationKDCWithADTrustSecurityConfig
\ --kerberos-attributes Realm=EC2.INTERNAL
,KdcAdminPassword=MyClusterKDCAdminPassword
,\ ADDomainJoinUser=ADUserLogonName
,ADDomainJoinPassword=ADUserPassword
,\ CrossRealmTrustPrincipalPassword=MatchADTrustPassword
External KDC on a different cluster
The following commands create a cluster that references a cluster-dedicated KDC on the primary node of a different cluster to authenticate principals. Additional configuration on the cluster is required. For more information, see Configuring an Amazon EMR cluster for Kerberos-authenticated HDFS users and SSH connections.
Create Security Configuration
aws emr create-security-configuration --name
ExtKDCOnDifferentCluster
\ --security-configuration '{"AuthenticationConfiguration": \ {"KerberosConfiguration": {"Provider": "ExternalKdc", \ "ExternalKdcConfiguration": {"KdcServerType": "Single", \ "AdminServer": "MasterDNSOfKDCMaster:749
", \ "KdcServer": "MasterDNSOfKDCMaster:88
"}}}}'
Create Cluster
aws emr create-cluster --release-label
emr-7.5.0
\ --instance-count3
--instance-typem5.xlarge
\ --applications Name=Hadoop Name=Hive \ --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=MyEC2Key
\ --service-role EMR_DefaultRole --security-configurationExtKDCOnDifferentCluster
\ --kerberos-attributes Realm=EC2.INTERNAL
,KdcAdminPassword=KDCOnMasterPassword
External cluster KDC with Active Directory cross-realm trust
The following commands create a cluster with no KDC. The cluster references a cluster-dedicated KDC running on the primary node of another cluster to authenticate principals. That KDC has a cross-realm trust with an Active Directory domain controller. Additional configuration on the primary node with the KDC is required. For more information, see Tutorial: Configure a cross-realm trust with an Active Directory domain.
Create Security Configuration
aws emr create-security-configuration --name
ExtKDCWithADIntegration
\ --security-configuration '{"AuthenticationConfiguration": \ {"KerberosConfiguration": {"Provider": "ExternalKdc", \ "ExternalKdcConfiguration": {"KdcServerType": "Single", \ "AdminServer": "MasterDNSofClusterKDC
:749", \ "KdcServer": "MasterDNSofClusterKDC
.com:88", \ "AdIntegrationConfiguration": {"AdRealm":"AD.DOMAIN.COM
", \ "AdDomain":"ad.domain.com
", \ "AdServer":"ad.domain.com
"}}}}}'
Create Cluster
aws emr create-cluster --release-label
emr-7.5.0
\ --instance-count3
--instance-typem5.xlarge
--applications Name=Hadoop
Name=Hive
\ --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=MyEC2Key
\ --service-role EMR_DefaultRole --security-configurationExtKDCWithADIntegration
\ --kerberos-attributes Realm=EC2.INTERNAL
,KdcAdminPassword=KDCOnMasterPassword
,\ ADDomainJoinUser=MyPrivilegedADUserName
,ADDomainJoinPassword=PasswordForADDomainJoinUser