Version: 1.3.1.0

Network Requirements

A well-configured network is essential for ODP cluster stability and performance. This page covers DNS, NTP, firewall, and Kerberos KDC connectivity requirements.

DNS Requirements

Forward and Reverse DNS Resolution

All nodes in an ODP cluster must have valid forward DNS (hostname to IP) and reverse DNS (IP to hostname) resolution. This is a hard requirement for:

Kerberos principal binding (service principals are tied to fully qualified domain names)
HDFS NameNode to DataNode communication
YARN ResourceManager to NodeManager communication
Ambari agent registration

Verify DNS resolution on each node:

# Forward lookup
host $(hostname -f)

# Reverse lookup
host $(hostname -i)

Both lookups must return consistent results. The hostname returned by hostname -f must match the reverse DNS entry for the node's IP.

Recommended: Use DNS Server (not /etc/hosts)

For clusters with more than a few nodes, manage DNS through a proper DNS server (e.g., FreeIPA/BIND, Microsoft Active Directory DNS). Using /etc/hosts is acceptable only for lab or test environments and does not scale.

Hostname Requirements

Use fully qualified domain names (FQDNs) such as master01.cluster.example.com
Do not use single-label hostnames (e.g., master01 alone)
Avoid hostnames with underscores (_); use hyphens (-) instead — some components (Kerberos, Java SSL) reject underscores in hostnames

NTP Requirements

All cluster nodes must have their clocks synchronized via NTP. Clock skew greater than 5 minutes will cause Kerberos ticket validation to fail, resulting in authentication errors across all Kerberized services.

Recommended NTP configuration:

Use chrony (preferred on RHEL 9) or ntpd
Point all cluster nodes to the same NTP source or internal NTP server
Verify synchronization: chronyc tracking or ntpstat

# Install and enable chrony (RHEL 9 / Rocky Linux 9)
dnf install -y chrony
systemctl enable --now chronyd
chronyc tracking

Firewall Port Reference

The following table lists the key ports required for ODP services. Configure your firewall (firewalld, iptables, or security groups) to allow these ports between the relevant node types.

Core Infrastructure

Service	Port	Protocol	Direction
Ambari Server Web UI	8080	TCP	Client → Ambari Server
Ambari Server Web UI (HTTPS)	8442	TCP	Client → Ambari Server
Ambari Agent	8670	TCP	Ambari Server → All nodes
ZooKeeper client	2181	TCP	All nodes → ZooKeeper nodes
ZooKeeper peer	2888, 3888	TCP	ZooKeeper → ZooKeeper

HDFS

Service	Port	Protocol	Direction
NameNode RPC	8020	TCP	All nodes / clients → NameNode
NameNode HTTP UI	9870	TCP	Admin → NameNode
NameNode HTTPS UI	9871	TCP	Admin → NameNode
DataNode data transfer	9866	TCP	NameNode / clients → DataNode
DataNode HTTP UI	9864	TCP	Admin → DataNode
JournalNode	8485	TCP	NameNode → JournalNode

note

Port 50070 (legacy NameNode HTTP) and 50010 (legacy DataNode) were replaced in Hadoop 3.x by 9870 and 9866 respectively.

YARN

Service	Port	Protocol	Direction
ResourceManager Web UI	8088	TCP	Client → ResourceManager
ResourceManager Scheduler	8030	TCP	NodeManager → ResourceManager
NodeManager	8042	TCP	Client / RM → NodeManager
Job History Server	19888	TCP	Client → History Server
Timeline Server	8188	TCP	Client → ATS

Hive

Service	Port	Protocol	Direction
HiveServer2 (JDBC/ODBC)	10000	TCP	Client → HiveServer2
HiveServer2 (HTTP)	10001	TCP	Client → HiveServer2
Hive Metastore	9083	TCP	HiveServer2 / Spark → Metastore

HBase

Service	Port	Protocol	Direction
HBase Master	16000	TCP	RegionServer → Master
HBase Master Web UI	16010	TCP	Admin → HBase Master
RegionServer	16020	TCP	Client → RegionServer
RegionServer Web UI	16030	TCP	Admin → RegionServer

Security Services

Service	Port	Protocol	Direction
Ranger Admin Web UI	6080	TCP	Client → Ranger
Ranger Admin Web UI (HTTPS)	6182	TCP	Client → Ranger
Knox Gateway (HTTPS)	8443	TCP	External client → Knox
Atlas Web UI (HTTP)	21000	TCP	Client → Atlas
Atlas Web UI (HTTPS)	21443	TCP	Client → Atlas

Kafka

Service	Port	Protocol	Direction
Kafka Broker	6667	TCP	Producer / Consumer → Broker
Kafka Broker (SSL)	6668	TCP	Producer / Consumer → Broker

NiFi

Service	Port	Protocol	Direction
NiFi Web UI (HTTPS)	9090	TCP	Client → NiFi
NiFi Site-to-Site	10000	TCP	NiFi → NiFi (if clustered)

Polaris REST Catalog

Service	Port	Protocol	Direction
Polaris REST API	8181	TCP	Spark / Trino → Polaris

Kudu

Service	Port	Protocol	Direction
Kudu Master RPC	7051	TCP	Client / TabletServer → Master
Kudu Master Web UI	8051	TCP	Admin → Kudu Master
Kudu TabletServer RPC	7050	TCP	Client → TabletServer
Kudu TabletServer Web UI	8050	TCP	Admin → TabletServer

Kerberos KDC Connectivity

In a Kerberos-secured ODP cluster, all nodes must be able to reach the Kerberos Key Distribution Center (KDC). ODP supports both MIT Kerberos and FreeIPA (which embeds MIT Kerberos).

Service	Port	Protocol	Direction
Kerberos KDC	88	TCP + UDP	All nodes → KDC
Kerberos admin	749	TCP	Ambari Server → KDC admin
FreeIPA LDAP	389	TCP	Ambari / Ranger → FreeIPA
FreeIPA LDAPS	636	TCP	Ambari / Ranger → FreeIPA

Requirements:

All cluster nodes must be able to resolve the KDC hostname and reach port 88 (both TCP and UDP)
Ambari Server must be able to reach the KDC admin port (749) to create service principals during the Enable Kerberos wizard
If using FreeIPA, Ranger UserSync must be able to reach the LDAP port (389 or 636) for user/group synchronization

Clock Skew

Kerberos is highly sensitive to clock skew. The maximum allowed skew between a client and the KDC is 300 seconds (5 minutes) by default. Ensure NTP synchronization is in place across all nodes before enabling Kerberos (see NTP Requirements above).

Network Requirements

DNS Requirements​

Forward and Reverse DNS Resolution​

Recommended: Use DNS Server (not /etc/hosts)​

Hostname Requirements​

NTP Requirements​

Firewall Port Reference​

Core Infrastructure​

HDFS​

YARN​

Hive​

HBase​

Security Services​

Kafka​

NiFi​

Polaris REST Catalog​

Kudu​

Kerberos KDC Connectivity​

Clock Skew​