| <!DOCTYPE html> |
| <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <title>YARN Security Guide - Apache Gearpump(incubating)</title> |
| |
| |
| <link rel="shortcut icon" href="../../img/favicon.ico"> |
| |
| |
| <link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'> |
| |
| <link rel="stylesheet" href="../../css/theme.css" type="text/css" /> |
| <link rel="stylesheet" href="../../css/theme_extra.css" type="text/css" /> |
| <link rel="stylesheet" href="../../css/highlight.css"> |
| |
| |
| <script> |
| // Current page data |
| var mkdocs_page_name = "YARN Security Guide"; |
| </script> |
| |
| <script src="../../js/jquery-2.1.1.min.js"></script> |
| <script src="../../js/modernizr-2.8.3.min.js"></script> |
| <script type="text/javascript" src="../../js/highlight.pack.js"></script> |
| <script src="../../js/theme.js"></script> |
| |
| |
| </head> |
| |
| <body class="wy-body-for-nav" role="document"> |
| |
| <div class="wy-grid-for-nav"> |
| |
| |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav"> |
| <div class="wy-side-nav-search"> |
| <a href="../../index.html" class="icon icon-home"> Apache Gearpump(incubating)</a> |
| <div role="search"> |
| <form id ="rtd-search-form" class="wy-form" action="../../search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" /> |
| </form> |
| </div> |
| </div> |
| |
| <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> |
| <ul class="current"> |
| |
| <li> |
| <li class="toctree-l1 "> |
| <a class="" href="../../index.html">Overview</a> |
| |
| </li> |
| <li> |
| |
| <li> |
| <ul class="subnav"> |
| <li><span>Introduction</span></li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/submit-your-1st-application/index.html">Submit Your 1st Application</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/commandline/index.html">Client Command Line</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/basic-concepts/index.html">Basic Concepts</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/features/index.html">Technical Highlights</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/message-delivery/index.html">Reliable Message Delivery</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/performance-report/index.html">Performance</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../introduction/gearpump-internals/index.html">Gearpump Internals</a> |
| |
| </li> |
| |
| |
| </ul> |
| <li> |
| |
| <li> |
| <ul class="subnav"> |
| <li><span>Deployment</span></li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-local/index.html">Local Mode</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-standalone/index.html">Standalone Mode</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-yarn/index.html">YARN Mode</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-docker/index.html">Docker Mode</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-ui-authentication/index.html">UI Authentication</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-ha/index.html">High Availability</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-msg-delivery/index.html">Reliable Message Delivery</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-configuration/index.html">Configuration</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../deployment-resource-isolation/index.html">Resource Isolation</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 current"> |
| <a class="current" href="index.html">YARN Security Guide</a> |
| |
| <ul> |
| |
| <li class="toctree-l3"><a href="#how-to-launch-gearpump-in-a-secured-yarn-cluster">How to launch Gearpump in a secured Yarn cluster</a></li> |
| |
| |
| <li class="toctree-l3"><a href="#how-to-write-to-secured-hbase">How to write to secured HBase</a></li> |
| |
| |
| <li class="toctree-l3"><a href="#future-plan">Future Plan</a></li> |
| |
| <li><a class="toctree-l4" href="#more-external-components-support">More external components support</a></li> |
| |
| <li><a class="toctree-l4" href="#authenticationkerberos">Authentication(Kerberos)</a></li> |
| |
| <li><a class="toctree-l4" href="#authorization">Authorization</a></li> |
| |
| |
| </ul> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../get-gearpump-distribution/index.html">How to Get Your Gearpump Distribution</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../hardware-requirement/index.html">Hardware Requirement</a> |
| |
| </li> |
| |
| |
| </ul> |
| <li> |
| |
| <li> |
| <ul class="subnav"> |
| <li><span>Programming Guide</span></li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-write-1st-app/index.html">Write Your 1st App</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-custom-serializer/index.html">Customized Message Passing</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-connectors/index.html">Gearpump Connectors</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-storm/index.html">Storm Compatibility</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-ide-setup/index.html">IDE Setup</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-non-streaming-example/index.html">Non Streaming Examples</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../dev/dev-rest-api/index.html">REST API</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../api/scala/index.html">Scala API</a> |
| |
| </li> |
| |
| |
| |
| <li class="toctree-l1 "> |
| <a class="" href="../../api/java/index.html">Java API</a> |
| |
| </li> |
| |
| |
| </ul> |
| <li> |
| |
| </ul> |
| </div> |
| |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| |
| |
| <nav class="wy-nav-top" role="navigation" aria-label="top navigation"> |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="../../index.html">Apache Gearpump(incubating)</a> |
| </nav> |
| |
| |
| <div class="wy-nav-content"> |
| <div class="rst-content"> |
| <div role="navigation" aria-label="breadcrumbs navigation"> |
| <ul class="wy-breadcrumbs"> |
| <li><a href="../../index.html">Docs</a> »</li> |
| |
| |
| |
| <li>Deployment »</li> |
| |
| |
| |
| <li>YARN Security Guide</li> |
| <li class="wy-breadcrumbs-aside"> |
| |
| |
| <a href="https://github.com/apache/incubator-gearpump" class="icon icon-github"> Edit on GitHub</a> |
| |
| |
| </li> |
| </ul> |
| <hr/> |
| </div> |
| <div role="main"> |
| <div class="section"> |
| |
| <p>Until now Gearpump supports deployment in a secured Yarn cluster and writing to secured HBase, where "secured" means Kerberos enabled. |
| Further security related feature is in progress.</p> |
| <h2 id="how-to-launch-gearpump-in-a-secured-yarn-cluster">How to launch Gearpump in a secured Yarn cluster</h2> |
| <p>Suppose user <code>gear</code> will launch gearpump on YARN, then the corresponding principal <code>gear</code> should be created in KDC server.</p> |
| <ol> |
| <li> |
| <p>Create Kerberos principal for user <code>gear</code>, on the KDC machine</p> |
| <pre class="codehilite"><code class="language-bash">sudo kadmin.local</code></pre> |
| |
| |
| <p>In the kadmin.local or kadmin shell, create the principal</p> |
| <pre class="codehilite"><code class="language-bash">kadmin: addprinc gear/fully.qualified.domain.name@YOUR-REALM.COM</code></pre> |
| |
| |
| <p>Remember that user <code>gear</code> must exist on every node of Yarn. </p> |
| </li> |
| <li> |
| <p>Upload the gearpump-2.11-0.8.3.zip to remote HDFS Folder, suggest to put it under <code>/usr/lib/gearpump/gearpump-2.11-0.8.3.zip</code></p> |
| </li> |
| <li> |
| <p>Create HDFS folder /user/gear/, make sure all read-write rights are granted for user <code>gear</code></p> |
| <pre class="codehilite"><code class="language-bash">drwxr-xr-x - gear gear 0 2015-11-27 14:03 /user/gear</code></pre> |
| |
| |
| </li> |
| <li> |
| <p>Put the YARN configurations under classpath. |
| Before calling <code>yarnclient launch</code>, make sure you have put all yarn configuration files under classpath. Typically, you can just copy all files under <code>$HADOOP_HOME/etc/hadoop</code> from one of the YARN cluster machine to <code>conf/yarnconf</code> of gearpump. <code>$HADOOP_HOME</code> points to the Hadoop installation directory. </p> |
| </li> |
| <li> |
| <p>Get Kerberos credentials to submit the job:</p> |
| <pre class="codehilite"><code class="language-bash">kinit gearpump/fully.qualified.domain.name@YOUR-REALM.COM</code></pre> |
| |
| |
| <p>Here you can login with keytab or password. Please refer Kerberos's document for details.</p> |
| <pre class="codehilite"><code class="language-bash">yarnclient launch -package /usr/lib/gearpump/gearpump-2.11-0.8.3.zip</code></pre> |
| |
| |
| </li> |
| </ol> |
| <h2 id="how-to-write-to-secured-hbase">How to write to secured HBase</h2> |
| <p>When the remote HBase is security enabled, a kerberos keytab and the corresponding principal name need to be |
| provided for the gearpump-hbase connector. Specifically, the <code>UserConfig</code> object passed into the HBaseSink should contain |
| <code>{("gearpump.keytab.file", "\\$keytab"), ("gearpump.kerberos.principal", "\\$principal")}</code>. example code of writing to secured HBase:</p> |
| <pre class="codehilite"><code class="language-scala">val principal = "gearpump/fully.qualified.domain.name@YOUR-REALM.COM" |
| val keytabContent = Files.toByteArray(new File("path_to_keytab_file")) |
| val appConfig = UserConfig.empty |
| .withString("gearpump.kerberos.principal", principal) |
| .withBytes("gearpump.keytab.file", keytabContent) |
| val sink = new HBaseSink(appConfig, "$tableName") |
| val sinkProcessor = DataSinkProcessor(sink, "$sinkNum") |
| val split = Processor[Split]("$splitNum") |
| val computation = split ~> sinkProcessor |
| val application = StreamApplication("HBase", Graph(computation), UserConfig.empty)</code></pre> |
| |
| |
| <p>Note here the keytab file set into config should be a byte array.</p> |
| <h2 id="future-plan">Future Plan</h2> |
| <h3 id="more-external-components-support">More external components support</h3> |
| <ol> |
| <li>HDFS</li> |
| <li>Kafka</li> |
| </ol> |
| <h3 id="authenticationkerberos">Authentication(Kerberos)</h3> |
| <p>Since Gearpump’s Master-Worker structure is similar to HDFS’s NameNode-DataNode and Yarn’s ResourceManager-NodeManager, we may follow the way they use.</p> |
| <ol> |
| <li>User creates kerberos principal and keytab for Gearpump.</li> |
| <li>Deploy the keytab files to all the cluster nodes.</li> |
| <li>Configure Gearpump’s conf file, specify kerberos principal and local keytab file location.</li> |
| <li>Start Master and Worker.</li> |
| </ol> |
| <p>Every application has a submitter/user. We will separate the application from different users, like different log folders for different applications. |
| Only authenticated users can submit the application to Gearpump's Master.</p> |
| <h3 id="authorization">Authorization</h3> |
| <p>Hopefully more on this soon</p> |
| |
| </div> |
| </div> |
| <footer> |
| |
| <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> |
| |
| <a href="../get-gearpump-distribution/index.html" class="btn btn-neutral float-right" title="How to Get Your Gearpump Distribution"/>Next <span class="icon icon-circle-arrow-right"></span></a> |
| |
| |
| <a href="../deployment-resource-isolation/index.html" class="btn btn-neutral" title="Resource Isolation"><span class="icon icon-circle-arrow-left"></span> Previous</a> |
| |
| </div> |
| |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <!-- Copyright etc --> |
| |
| </div> |
| |
| Built with <a href="http://www.mkdocs.org">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| </footer> |
| |
| </div> |
| </div> |
| |
| </section> |
| |
| </div> |
| |
| <div class="rst-versions" role="note" style="cursor: pointer"> |
| <span class="rst-current-version" data-toggle="rst-current-version"> |
| |
| <a class="icon icon-github" style="float: left; color: #fcfcfc"> GitHub</a> |
| |
| |
| <span><a href="../deployment-resource-isolation/index.html" style="color: #fcfcfc;">« Previous</a></span> |
| |
| |
| <span style="margin-left: 15px"><a href="../get-gearpump-distribution/index.html" style="color: #fcfcfc">Next »</a></span> |
| |
| </span> |
| </div> |
| |
| </body> |
| </html> |