You can enable or disable Kerberos authentication.
To enable Kerberos-based authentication for the MapReduce framework:
- The KDC must be set up on a server to issue Kerberos tickets. This reference assumes that you know how to set
up a KDC and realm.
- The Kerberos client must be installed on all management and compute
hosts. Any entity (a user or a host which is not the KDC server) is
considered a Kerberos client. This reference assumes that you know how to install
and set up the Kerberos client.
- Hadoop must be configured for secure HDFS. See Hadoop security configuration.
- Create and deploy the IBM® Spectrum Symphony service principal and the keytab files.
- Based on your access, start kadmin.local on the KDC or kadmin on any machine.
- If you have root access to the KDC server but do not have a Kerberos admin account, use
kadmin.local. Enter sudo kadmin.local on the KDC and
provide your Linux® password.
- If you do not have root access to the KDC server but have a Kerberos admin account, use kadmin. Enter kadmin and provide your Kerberos admin password.
- If you have root access to the KDC server and a Kerberos admin account, you can use either one.
- Create the service principal with a password that is
to be used for the cluster administrator's login.
For example:
kadmin.local:add_principal -kvno 1 testuser/iMapReduce@EXAMPLE.COM
Enter password for principal "testuser/iMapReduce@EXAMPLE.COM":
Re-enter password for principal "testuser/iMapReduce@EXAMPLE.COM":
Principal "testuser/iMapReduce@EXAMPLE.COM":
created.
kadmin.local:list_principals testuser/iMapReduce@EXAMPLE.COM
testuser/iMapReduce@EXAMPLE.COM
- Generate the key table file containing the principal
name using the same key version number and password.
For example:
$ktutil
kutil: add_entry
-password -p testuser/iMapReduce@EXAMPLE.COM -k 1 -e des3-cbc-sha1-kd
kutil: write_kt abcuser.keytab
Note: If your Kerberos version supports the norandkey option
in the xst command, you can use the xst
-norandkey command to create the keytab file. For example: xst -norandkey -k keytab_file hdfs/fully.qualified.domain.name
- Distribute the key table file to all hosts in the cluster
to the location specified by KEYTAB in the sec_ego_kerberos.conf file.
All hosts need access to the key tab file, either
by having it locally or through a shared directory.
- On the primary host,
edit the application profile at
$PMR_HOME/version/os_type/profile/ to add
the following properties:
- In the SSM (application manager) section, add the
SSMHDFSRenewalPluginCmd
attribute.
SSM resReq="" workDir="${EGO_SHARED_TOP}/soam/work" SSMHDFSRenewalPluginCmd="path_to_plugin $HADOOP_HOME path_to_conf_file"
where:
path_to_plugin
specifies the location of the Kerberos plug-in, which is by
default at
${SOAM_HOME}/mapreduce/version/os_type/plugin/
$HADOOP_HOME
specifies the directory under which HDFS was installed.
path_to_conf_file
specifies the location of the sec_ego_kerberos.conf file defined by
EGO_SEC_CONF. The sec_ego_kerberos.conf file is by default at
$EGO_CONFDIR/
For
example:
SSM workDir="${EGO_SHARED_TOP}/soam/work" SSMHDFSRenewalPluginCmd="${SOAM_HOME}/mapreduce/version/os_type/plugin/TokenRenewal4HDFS.sh $HADOOP_HOME ${EGO_CONFDIR}/sec_ego_kerberos.conf"
- In the Service section, configure an environment variable under osTypes > osType to
define the location of the Hadoop token file. For example:
<env name="HADOOP_TOKEN_FILE_LOCATION">${SOAM_HOME}/mapreduce/work/token/${log4cxx_autoindex}/_PMR_TOKENS</env>
- Register the application using the soamreg command. For example,
using the default MapReduce application:
soamreg
$PMR_HOME/version/os_type/profile/MapReduce732.xml
- As cluster administrator, shut down the cluster from the primary host using the following
commands:
$ soamcontrol app disable all -f
(If global standby services are enabled) $ egosh standby kill -GLOBAL
all
$ egosh service stop all
$ egosh ego shutdown all
- Edit sec_ego_kerberos.conf at $EGO_CONFDIR on all hosts in the cluster.
For example:
REALM=EXAMPLE.COM
PRINCIPALNAME=testuser/iMapReduce
KEYTAB=/dev/sym_mr/kernel/conf/abcuser.keytab
- Edit ego.conf at $EGO_CONFDIR on all hosts in the cluster.
For example:
EGO_SEC_PLUGIN=sec_ego_kerberos
EGO_SEC_CONF=/opt/ibm/spectrumcomputing/kernel/conf/
- Edit sd.xml at $EGO_ESRVDIR/esc/conf/services/ on all hosts in the cluster to add the KRB5RCACHETYPE environment
variable under the correct operating system version:
<ego:EnvironmentVariable name="KRB5RCACHETYPE">none</ego:EnvironmentVariable>
- Run the following command on the primary host to start the cluster:
- Edit pmr-site.xml at $PMR_HOME/conf on all hosts in the cluster:
- Remove the following properties:
mapreduce.job.login.user
mapreduce.job.login.password
- Add the
mapreduce.jobtracker.kerberos.principal
property: For example:
<property>
<name>mapreduce.jobtracker.kerberos.principal</name>
<value>testuser/iMapReduce@EXAMPLE.COM</value>
<description>The user to renew HDFS token.</description>
</property>
Note: If you are using Hadoop-2.x and
YARN, use the
yarn.resourcemanager.principal
property. For example:
<property>
<name>yarn.resourcemanager.principal</name>
<value>testuser/iMapReduce@EXAMPLE.COM</value>
<description>The user to renew HDFS token.</description>
</property>
- Restart the cluster using the following commands:
$ egosh ego restart all$
soamcontrol app enable application_name
- Now that the Kerberos plug-in is enabled, specify your Kerberos credentials before submitting a MapReduce job.
- Log in to IBM Spectrum Symphony as the MapReduce cluster administrator:
egosh user logon
Note: Log on as Admin
, and use the password assigned for the MapReduce cluster administrator
(theoretically, since you have access to the key tab and the proper
credentials to create an access ticket, you can use any password here).
- Submit a MapReduce job from the mrsh utility.
What to do next
To disable Kerberos authentication:
- Log on to the primary host
as cluster administrator and shut down the cluster using the following
commands:
$ egosh standby kill -GLOBAL all
$ egosh service stop all
$ egosh ego shutdown all
Note
that you only need to run $ egosh standby kill -GLOBAL all
if global services are
enabled.
- Edit ego.conf at $EGO_CONFDIR to change EGO_SEC_PLUGIN on all hosts in the cluster:
EGO_SEC_PLUGIN=sec_ego_default
- Restart the cluster using the following commands:
$ egosh ego start all
$ soamcontrol app enable application_name