No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Cross-Cluster Mutual Trust Relationships

Configuring Cross-Cluster Mutual Trust Relationships


If two clusters need to access the resources of each other, the system administrator can configure the mutual trust relationships between clusters on FusionInsight Manager. After the configuration, users of an external cluster can be used in the cluster.

The usage range of users in each FusionInsight HD cluster is called a domain. Each cluster must have a unique domain name. Cross-cluster access means users to be used across domains.


Mutual trust cannot be configured between clusters of FusionInsight HD V100R002C60 or earlier and clusters of versions later than V100R002C60.

Impact on the System

  • After cross-cluster mutual trust is configured, users of an external cluster can be used in the cluster. The system administrator needs to periodically check the user rights in the cluster based on enterprise service and security requirements.
  • After cross-cluster mutual trust is configured, the two clusters need to be restarted and are unavailable during restart.
  • After cross-cluster mutual trust is configured, each of the two clusters trusting each other can add Kerberos internal users "krbtgt/local cluster domain name@external cluster domain name" and "krbtgt/external cluster domain name@local cluster domain name". The two users cannot be deleted. The default password is Admin@123. Based on enterprise service and security requirements, the system administrator needs to change the password periodically. The passwords of the four users in the two clusters trusting each other must be the same. For details, see Changing the Password for a Component Running User. Connections of cross-cluster service applications may be affected during the password change.
  • After configuring the cross-cluster mutual trust relationship, download and install the client again for each cluster.
  • After cross-cluster mutual trust is configured, verify services. For information about how to access the resources in the remote cluster by using users in the cluster, see Assigning User Permissions After Cross-Cluster Mutual Trust Is Configured.


  • The system administrator has specified service requirements and planned domain names for the clusters. A domain name can contain only uppercase letters, digits, dots (.), and underscores (_), and must start with a letter or a digit. For example, DOMAINA.HW and DOMAINB.HW.
  • Before cross-cluster mutual trust is configured, the cluster domain names of two clusters must be changed to ensure that each domain name is unique. For details, see Changing Cluster Domain Name. After the change, the old passwords for all users in the cluster will be reset. You need to change the passwords.
  • Before cross-cluster mutual trust is configured, ensure that the two clusters do not have the same host name or the same IP address.
  • The clusters configured cross-cluster mutual trust relationships must use the same version and be installed in safe mode. Otherwise, mutual trust relationships cannot be configured.
  • Time of two clusters configured trust relationships must be consistent and the Network Time Protocol (NTP) service in the two clusters must use the same time source.


  1. Log in to FusionInsight Manager of a cluster.
  2. Choose Cluster > Service to check whether Running Status of all components is Normal.

    • If yes, go to Step 3.
    • If no, the task is complete. See the Fault Management.

  3. Choose Cluster > Service > KrbServer > Configuration and click All Configurations.
  4. In the navigation tree, choose KerberosServer > Realm.
  5. Change the peer_realms parameter.

    Table 11-3 Related Parameters




    Set the value to the domain name of the external cluster.


    Set the value to the KDC address of the external cluster.

    The parameter value format is IP address of the node where the external cluster Kerberos service is deployed:port. In dual-plane networking, you need to enter the service IP address.

    Use a comma to separate the IP addresses of the active and standby Kerberos services. To view the value of port, choose KerberosServer > Port in the navigation tree and check the value of kdc_ports. The default value is 21732.

    For example, if the Kerberos service is deployed on and, the parameter value is,


    If you need to configure trust relationships for multiple clusters, click to add a new project and set parameters. A maximum of 16 clusters can be mutually trusted. Click to delete redundant configurations.

  6. Click Save. Click OK in the displayed window.
  7. Use PuTTY to log in to the active management node using the active management IP address as user omm. Run the following command to update domain configuration:

    sh ${BIGDATA_HOME}/om-server/om/sbin/

    The command is run successfully if the following information is displayed:

    Modify realm successfully. Use the new password to log into FusionInsight again.

    After restart, some hosts and services cannot be accessed and an alarm is generated. This problem can be automatically resolved in about 1 minute after is run.

  8. On the homepage page of FusionInsight Manager, choose More > Restart. In the dialog box that is displayed, enter the password and click OK. In the Restart Cluster dialog box, click OK to restart the cluster.
  9. Log in to FusionInsight Manager of the other cluster and repeat the preceding operations.
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6173

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next