Slider Apps View can optionally connect to a Kerberos secured cluster by following the below steps.
After deploying a HDP cluster through Ambari, it can be secured by using the Enable Security button in Admin > Seurity page.
We need to provide a Kerberos identity for the process in which the view is run. We shall identify the user as view-principal
. In this document view-principal
can be changed to any suitable name. Since views are generally hosted by Ambari server, typically this can be named as ambari.
On the machine where KDC Server is hosted, create user principal by running below command
kadmin.local -q "addprinc -randkey view-principal@EXAMPLE.COM"
Next, extract keytab file
kadmin.local -q "xst -k /path/to/keytab/view-principal.headless.keytab view-principal@EXAMPLE.COM"
The keytab file should then be copied over to the keytabs location on the host where the view is hosted.
cp /path/to/keytab/view-principal.headless.keytab /etc/security/keytabs/
Change file permissions so that only necessary users can access it.
chmod 440 /etc/security/keytabs/view-principal.headless.keytab
If the view is hosted by ambari-server, its Kerberos identity can be set by running the below command.
ambari-server setup-security
During setup-security the view-principal
user should be provided along with the keytab. These same values will be provided as view parameters in Step-4.
Add the following configurations in Custom core-site section of HDFS service.
view-principal
.groups = *view-principal
.hosts = view-server-host
This will in-turn show up in core-site.xml as
<property> <name>hadoop.proxyuser.view-principal.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.view-principal.hosts</name> <value>view-server-host.ambari.apache.org</value> </property>
Restart HDFS and YARN services.
From Ambari-Admin create a Slider Apps View with the below parameters populated
view-principal
/etc/security/keytabs/view-principal.headless.keytab
We need to provide a Kerberos identity for the user identified in slider.user view parameter.
The slider.user view parameter has the following interpretations:
${username}
, it is the user logged into Ambari.We shall assume the user as slider-user
. In a secured cluster this user has to actually exist on all the hosts. The user should also have an uid greater than 1000.
On the machine where KDC Server is hosted, create user principal by running below command
kadmin.local -q "addprinc -randkey slider-user@EXAMPLE.COM"
Next, extract keytab file
kadmin.local -q "xst -k /path/to/keytab/slider-user.headless.keytab slider-user@EXAMPLE.COM"
The keytab file should then be copied over to the keytabs location on the host where the view is hosted.
cp /path/to/keytab/slider-user.headless.keytab /etc/security/keytabs/
Change file permissions so that only necessary users can access it.
Make sure that slider-user
keytab is at /etc/security/keytabs/slider-user
.headless.keytab
Slider Apps contain services, and they might need their own identities when talking to HDFS and YARN. To support such Apps, keytabs have to be created that are required specifically for the Apps. Each keytab should contain the identity of the principal on all hosts where the application can run.
By default, the following keytabs have to be created for specific Apps. This user has to exist on all hosts where containers are run:
For each host host-name
in the cluster, do the following
kadmin.local -q "addprinc -randkey slider-user/[host-name]@EXAMPLE.COM"
Next, extract identities on all hosts into a single keytab file
kadmin.local -q "xst -k /path/to/keytab/slider-user.HBASE.service.keytab slider-user/[host-name]@EXAMPLE.COM"
The keytab file containing multiple identities should then be copied over to the keytabs location on the host where the view is hosted.
cp /path/to/keytab/slider-user.HBASE.service.keytab /etc/security/keytabs/
Change file permissions so that only necessary users can access it.
For each host host-name
in the cluster, do the following
kadmin.local -q "addprinc -randkey slider-user/[host-name]@EXAMPLE.COM"
Next, extract all identities into a single keytab file
kadmin.local -q "xst -k /path/to/keytab/slider-user.STORM.nimbus.keytab slider-user/[host-name]@EXAMPLE.COM" kadmin.local -q "xst -k /path/to/keytab/slider-user.STORM.client.keytab slider-user@EXAMPLE.COM"
The keytab file containing multiple identities should then be copied over to the keytabs location on the host where the view is hosted.
cp /path/to/keytab/slider-user.STORM.nimbus.keytab /etc/security/keytabs/ cp /path/to/keytab/slider-user.STORM.client.keytab /etc/security/keytabs/
Change file permissions so that only necessary users can access it.