blob: 486eaac81e6a398d099e79b4cd900649717b0dea [file] [log] [blame] [view]
<!---
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
### Secure Clusters ###
See these documents for setting up a secure Hadoop cluster
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ClusterSetup.html#Configuration_in_Secure_Mode
http://docs.hortonworks.com/HDPDocuments/HDP1/HDP-1.3.1/bk_installing_manually_book/content/rpm-chap14.html
Once you have a Hadoop cluster that is using Kerberos for authentication, you have to do the following to configure Knox to work with that cluster.
#### Create Unix account for Knox on Hadoop master nodes ####
useradd -g hadoop knox
#### Create Kerberos principal, keytab for Knox ####
One way of doing this, assuming your KDC realm is EXAMPLE.COM, is to ssh into your host running KDC and execute `kadmin.local`
That will result in an interactive session in which you can execute commands.
ssh into your host running KDC
kadmin.local
add_principal -randkey knox/knox@EXAMPLE.COM
ktadd -norandkey -k /etc/security/keytabs/knox.service.keytab
ktadd -k /etc/security/keytabs/knox.service.keytab -norandkey knox/knox@EXAMPLE.COM
exit
#### Grant Proxy privileges for Knox user in `core-site.xml` on Hadoop master nodes ####
Update `core-site.xml` and add the following lines towards the end of the file.
Replace FQDN_OF_KNOX_HOST with the fully qualified domain name of the host running the gateway.
You can usually find this by running `hostname -f` on that host.
You could use * for local developer testing if Knox host does not have static IP.
<property>
<name>hadoop.proxyuser.knox.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.knox.hosts</name>
<value>FQDN_OF_KNOX_HOST</value>
</property>
#### Grant proxy privilege for Knox in `webhcat-stie.xml` on Hadoop master nodes ####
Update `webhcat-site.xml` and add the following lines towards the end of the file.
Replace FQDN_OF_KNOX_HOST with right value in your cluster.
You could use * for local developer testing if Knox host does not have static IP.
<property>
<name>hadoop.proxyuser.knox.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.knox.hosts</name>
<value>FQDN_OF_KNOX_HOST</value>
</property>
#### Grant proxy privilege for Knox in `oozie-stie.xml` on Oozie host ####
Update `oozie-site.xml` and add the following lines towards the end of the file.
Replace FQDN_OF_KNOX_HOST with right value in your cluster.
You could use * for local developer testing if Knox host does not have static IP.
<property>
<name>oozie.service.ProxyUserService.proxyuser.knox.groups</name>
<value>users</value>
</property>
<property>
<name>oozie.service.ProxyUserService.proxyuser.knox.hosts</name>
<value>FQDN_OF_KNOX_HOST</value>
</property>
#### Copy knox keytab to Knox host ####
Add unix account for the knox user on Knox host
useradd -g hadoop knox
Copy knox.service.keytab created on KDC host on to your Knox host /etc/knox/conf/knox.service.keytab
chown knox knox.service.keytab
chmod 400 knox.service.keytab
#### Update krb5.conf at /etc/knox/conf/krb5.conf on Knox host ####
You could copy the `templates/krb5.conf` file provided in the Knox binary download and customize it to suit your cluster.
#### Update `krb5JAASLogin.conf` at `/etc/knox/conf/krb5JAASLogin.conf` on Knox host ####
You could copy the `templates/krb5JAASLogin.conf` file provided in the Knox binary download and customize it to suit your cluster.
#### Update `gateway-site.xml` on Knox host on Knox host ####
Update `conf/gateway-site.xml` in your Knox installation and set the value of `gateway.hadoop.kerberos.secured` to true.
#### Restart Knox ####
After you do the above configurations and restart Knox, Knox would use SPNego to authenticate with Hadoop services and Oozie.
There is no change in the way you make calls to Knox whether you use Curl or Knox DSL.