Configuring JobTracker with Kerberos
Describes how to enable communication between Hue and JobTracker using Kerberos.
For Hue to communicate with JobTracker, JobTracker needs to be configured for Kerberos. For a complete discussion on this subject, see Configuring Kerberos User Authentication.
The following sections explain the procedures that enable Kerberos on JobTracker nodes.
Creating a Kerberos Principal and a keytab File
In order to use JobTracker with Kerberos, you need to create a Kerberos principal and a
keytab file. A Kerberos principal is a unique identity that represents a user or service in
a Kerberos system. The user obtains a ticket for a principal name (through the
kinit
utility) and this ticket authenticates the user to the Kerberos
server.
The keytab file contains principal names and their corresponding encrypted keys, or tickets.
Creating Kerberos Principals
Use the addprinc
command at the kadmin
console prompt to
create two principals in the same realm as the MapR cluster:
-
a JobTracker user principal (used by SPNEGO webservers)
-
an HTTP user principal (for nodes that handle SPNEGO traffic)
For example, if the JobTracker service and the webserver service are running on a node
called perfnode153.perf.lab
and the realm is called
dev-maprtech
, the commands to add the JobTracker principal and the HTTP
principal are:
kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech
addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech
Creating a keytab File
Keytabs are created or appended to by extracting keys from the KDC database using the ktadd command inside the kadmin console prompt.
To create a keytab file for the JobTracker principal, you use the same procedure that you use to create the keytab for the MapR-FS or mapred principal for a specific host.
- Create the keytab file for the JobTracker principal. Name this file
mapr.keytab
and put it in the directory/opt/mapr/conf
on the machine running the JobTracker server, as shown:kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab
- Set read-only permissions on the
mapr.keytab
file.$ sudo chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab
- Set the file's owner to the user running the JobTracker server (usually
mapr
).$ sudo chown mapr:mapr /opt/mapr/conf/mapr.keytab
-
Copy the
mapr.keytab
file to all the nodes running Hue, Hive, httpfs, and Oozie services.
Modifying the mapred-site.xml File
The mapred-site.xml
file needs the following information for
JobTracker:
Property Name | Description | Value |
---|---|---|
mapreduce.jobtracker.kerberos.principal
|
Hostname and realm |
mapr/_HOST@<REALM>
|
mapreduce.jobtracker.keytab.file
|
Path to the MapReduce keytab file |
/opt/mapr/conf/mapr.keytab
|
Add these properties to your mapred-site.xml
file as shown in the
following example. Note that this example uses dev-maprtech
for the
Kerberos realm.
<!-- JobTracker security configuration -->
<property>
<name>mapreduce.jobtracker.kerberos.principal</name>
<value>mapr/_HOST@dev-maprtech</value>
</property>
<property>
<name>mapreduce.jobtracker.keytab.file</name>
<value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the MapReduce keytab -->
</property>
Modifying the env.sh File
The env.sh
file contains a setting for MapR login options that defaults to
the value maprsasl
. Change this value to hybrid
, which
applies to Kerberos and other security protocols.
The new line (after the change) should look like this:
MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"
Restarting JobTracker
maprcli node services -jobtracker restart