• MapReduce Service

  1. Help Center
  2. MapReduce Service
  3. User Guide
  4. Management of Clusters with Kerberos Authentication Enabled
  5. Configuring Cross-Cluster Mutual Trust Relationships

Configuring Cross-Cluster Mutual Trust Relationships


If two clusters, both with Kerberos authentication enabled, need to access the resources of each other, the administrator must configure the mutual trust relationships between the clusters.

If no trust relationship is configured, resources of a cluster are available only for users in the cluster. MRS automatically assigns a unique domain name for each cluster to define the scope of resources for users.

Impact on the System

  • After cross-cluster mutual trust is configured, resources of a cluster become available for users in the other cluster. User permission in the clusters must be regularly checked based on service and security requirements.
  • After cross-cluster mutual trust is configured, the two clusters must be restarted and are unavailable during restart.
  • After cross-cluster mutual trust is configured, internal users krbtgt/Local cluster domain name@External cluster domain name and krbtgt/External cluster domain name@Local cluster domain name are added to the two clusters. The internal users cannot be deleted. The default password of the users is Admin@123.
  • After cross-cluster mutual trust is configured, the client must be re-installed.


  • Kerberos authentication is enabled for both clusters. For example, two analysis clusters with Kerberos authentication enabled are created.
  • Both clusters are in the same VPC and subnet.


  1. On the MRS management console, query all security groups of the two clusters.

    Each cluster has two security groups, namely the security group of the Master node and Core node respectively.

  2. On the VPC management console, add rules for each security group.

    Set Protocol to ANYTransfer Direction to Inbound, and Source to Security Group. The source is the security group of the peer cluster. Two inbound rules are required.

  3. Log in to MRS Manager of the two clusters separately. Click Service and check whether the Health Status of all components is Good.

    • If yes, go to Step 4.
    • If no, contact technical support personnel for troubleshooting.

  4. Query configuration information.

    1. On MRS Manager of the two clusters, choose Service > KrbServer > Instance. Query OM IP Address of the two KerberosServer hosts.
    2. Click Service Configuration. Set Type to All. Choose KerberosServer > Port in the navigation tree on the left. Query the value of kdc_ports. The default value is 21732.
    3. Click Realm and query the value of default_realm.

  5. On MRS Manager of either cluster, modify the peer_realms parameter.

    Table 1 Parameter description




    default_realm of the peer cluster


    KDC address of the peer cluster. Format: IP address of a KerberosServer node in the peer cluster:kdc_port

    The addresses of the two KerberosServer nodes are separated by a comma. For example, if the IP addresses of the KerberosServer nodes are and respectively, the value of this parameter is,

    • To deploy trust relationships with multiple clusters, click  to add items and specify relevant parameters. To delete an item, click .
    • A cluster can have trust relationships with a maximum of 16 clusters. By default, no trust relationship exists between different clusters that are trusted by a local cluster.

  6. Click Save Configuration. In the dialog box that is displayed, select Restart the affected services or instances and click OK.

    After Operation succeeded is displayed, click Finish.

  7. Exit MRS Manager and log in to it again. If the login is successful, the configurations are valid.
  8. Log in to MRS Manager of the other cluster and repeat Step 5 to Step 7.