Configure Kerberos Authentication for HttpFS

About this task

Complete the following steps to enable Kerberos security on nodes where you run the httpFS service:

Procedure

  1. Verify that /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin file exists.
    This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure Kerberos for HttpFS, rename the file back to context.xml.jpamLogin. 
    mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin
  2. Modify the httpfs-site.xml file.

    MapR provides a Kerberos-ready version of the httpfs-site.xml file called httpfs-site.xml.kerberos. This file resides in /opt/mapr/httpfs/httpfs-1.0/etc/hadoop. You must edit this file and specify the kerberos principal name for the nodes where you are running httpFS, restart the httpFS server, and then you can test the set-up. Each step is explained here.

    To set up the httpfs-site.xml file for each node running the httpFS service, follow these steps:

    1. Assign a new name to the existing httpfs-site.xml file (to preserve the original version when the file gets overwritten in step 2). 
      cp /opt/mapr/httpfs/httpfs-1.0/etc/hadoop httpfs-site.xml httpfs-site.xml.original
    2. Copy the kerberos version (httpfs-site.xml.kerberos) to the existing httpfs-site.xml file. 
      cp /opt/mapr/httpfs/httpfs-1.0/etc/hadoop httpfs-site.xml.kerberos httpfs-site.xml
    3. Edit the httpfs-site.xml file and insert the principal name as shown: 
      <property>
  <name>
    httpfs.authentication.kerberos.principal
  </name>
  <value>
    mapr/perfnode153.perf.lab@mapr.com
  </value>
</property>
      Substitute your fully qualified domain name and your realm for perfnode153.perf.lab@dev-maprtech.com.
    4. Restart the httpFS server so the changes will take effect. 
      sudo -u mapr /opt/mapr/httpfs/httpfs-1.0/sbin/httpfs.sh stop
sudo -u mapr /opt/mapr/httpfs/httpfs-1.0/sbin/httpfs.sh start
    5. Test that security is in place by entering the following command to create a file in MapR-FS. The command will fail if security is not set up correctly. 
      curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt -i -X PUT
"http://perfnode153.perf.lab:14000/webhdfs/v1/user/mapr/some_file?op=MKDIRS"
  3. (Optional) Configure the HTTP header size.

    The maxHttpHeaderSize parameter defines the maximum size of the request and response HTTP header, specified in bytes. If it is not specified, this parameter defaults to 8192 (8KB).

    When Kerberos security is enabled, you may need to increase this value in the server.xml file:

    /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml

    For example:

    <Connector port="${httpfs.http.port}" maxHttpHeaderSize="32000" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>

    If you do not increase this value, you may encounter errors of the following form:

    HTTP/1.1 400 Bad Request

    NOTE: After making this configuration change, restart the httpFS server.