The HAS High Availability feature implemented by providing the option of running two redundant HAS servers.
The two redundant HAS servers must have same https ports. Below are examples:
[HAS] https_host = emr-header-1 https_port = 8092 filter_auth_type = kerberos enable_conf = true [PLUGIN] auth_type = RAM
[HAS] https_host = emr-worker-1 https_port = 8092 filter_auth_type = kerberos enable_conf = true [PLUGIN] auth_type = RAM
The two redundant HAS servers must use mysql backend, and have same mysql_url, mysql_user and mysql_password.
Please look at How to use mysql backend for mysql backend configuration.
The two redundant HAS servers must have same ports and realms.
After doing init on either HAS server, the other one has been initialized too.
Please keep the shared admin.keytab safely.
cd kerby-dist/has-dist // Start KDC init tool sh bin/kdcinit.sh <conf_dir> // Get has-client.conf, and put it to /etc/has: HasInitTool: gethas -p /etc/has HasInitTool: exit
You will get has-client.conf like the following:
[HAS] https_host = emr-header-1,emr-worker-1 https_port = 8092 filter_auth_type = kerberos enable_conf = true [PLUGIN] auth_type = RAM
Hadoop user can use HAS HA feature by updating core-site.xml without Reexport has-client.conf. add the following properties:
<property> <name>hadoop.security.has</name> <value>https://emr-header-1:8092/has/v1?auth_type=RAM;https://emr-worker-1:8092/has/v1?auth_type=RAM</value> </property>
cd kerby-dist/has-dist // Start KDC init tool: sh bin/has-init.sh <conf_dir> // Get krb5.conf, and put it to /etc: HasInitTool: getkrb5 -p /etc HasInitTool: exit
You will get krb5.conf like the following:
[libdefaults] kdc_realm = HADOOP.COM default_realm = HADOOP.COM udp_preference_limit = 4096 kdc_tcp_port = 88 kdc_udp_port = 88 [realms] HADOOP.COM = { kdc = localhost:88 kdc = localhost:88 }
You can use login-test tool to verify:
cd kerby-dist/has-dist // Use tgt to login sh bin/login-test.sh tgt <conf_dir> MySQL