Configure Kerberos Authentication for HttpFS
About this task
Complete the following steps to enable Kerberos security on nodes where you run the httpFS service:
Procedure
-
Verify that /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin
file exists.
This file may have been renamed to
context.xml
to configure PAM authentication for HttpFS. However, to configure Kerberos for HttpFS, rename the file back tocontext.xml.jpamLogin
.mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin
-
Modify the httpfs-site.xml file.
MapR provides a Kerberos-ready version of the
httpfs-site.xml
file calledhttpfs-site.xml.kerberos
. This file resides in/opt/mapr/httpfs/httpfs-1.0/etc/hadoop
. You must edit this file and specify the kerberos principal name for the nodes where you are running httpFS, restart the httpFS server, and then you can test the set-up. Each step is explained here.To set up the
httpfs-site.xml
file for each node running the httpFS service, follow these steps: -
(Optional) Configure the HTTP header size.
The
maxHttpHeaderSize
parameter defines the maximum size of the request and response HTTP header, specified in bytes. If it is not specified, this parameter defaults to 8192 (8KB).When Kerberos security is enabled, you may need to increase this value in the
server.xml
file:/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
For example:
<Connector port="${httpfs.http.port}" maxHttpHeaderSize="32000" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
If you do not increase this value, you may encounter errors of the following form:
HTTP/1.1 400 Bad Request
NOTE: After making this configuration change, restart the httpFS server.