Configuring JobTracker with Kerberos

Describes how to enable communication between Hue and JobTracker using Kerberos.

For Hue to communicate with JobTracker, JobTracker needs to be configured for Kerberos. For a complete discussion on this subject, see Configuring Kerberos User Authentication.

The following sections explain the procedures that enable Kerberos on JobTracker nodes.

Creating a Kerberos Principal and a keytab File

In order to use JobTracker with Kerberos, you need to create a Kerberos principal and a keytab file. A Kerberos principal is a unique identity that represents a user or service in a Kerberos system. The user obtains a ticket for a principal name (through the kinit utility) and this ticket authenticates the user to the Kerberos server.

The keytab file contains principal names and their corresponding encrypted keys, or tickets.

Creating Kerberos Principals

Use the addprinc command at the kadmin console prompt to create two principals in the same realm as the MapR cluster:

  • a JobTracker user principal (used by SPNEGO webservers)

  • an HTTP user principal (for nodes that handle SPNEGO traffic)

For example, if the JobTracker service and the webserver service are running on a node called perfnode153.perf.lab and the realm is called dev-maprtech, the commands to add the JobTracker principal and the HTTP principal are:

kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech
  addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech

Creating a keytab File

Keytabs are created or appended to by extracting keys from the KDC database using the ktadd command inside the kadmin console prompt.

To create a keytab file for the JobTracker principal, you use the same procedure that you use to create the keytab for the MapR-FS or mapred principal for a specific host.

  1. Create the keytab file for the JobTracker principal. Name this file mapr.keytab and put it in the directory /opt/mapr/conf on the machine running the JobTracker server, as shown: 
    kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab
  2. Set read-only permissions on the mapr.keytab file. 
    $ sudo chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab
  3. Set the file's owner to the user running the JobTracker server (usually mapr). 
    $ sudo chown mapr:mapr /opt/mapr/conf/mapr.keytab
  4. Copy the mapr.keytab file to all the nodes running Hue, Hive, httpfs, and Oozie services.

Modifying the mapred-site.xml File

The mapred-site.xml file needs the following information for JobTracker:

Property Name Description Value
mapreduce.jobtracker.kerberos.principal Hostname and realm mapr/_HOST@<REALM>
mapreduce.jobtracker.keytab.file Path to the MapReduce keytab file /opt/mapr/conf/mapr.keytab

Add these properties to your mapred-site.xml file as shown in the following example. Note that this example uses dev-maprtech for the Kerberos realm.

<!-- JobTracker security configuration -->
<property>
  <name>mapreduce.jobtracker.kerberos.principal</name>
  <value>mapr/_HOST@dev-maprtech</value>
</property>
<property>
  <name>mapreduce.jobtracker.keytab.file</name>
  <value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the MapReduce keytab -->
</property>

Modifying the env.sh File

The env.sh file contains a setting for MapR login options that defaults to the value maprsasl. Change this value to hybrid, which applies to Kerberos and other security protocols.

The new line (after the change) should look like this:

MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"

Restarting JobTracker

JobTracker must be restarted in order for the configuration file changes to take effect. Enter the following command:
maprcli node services -jobtracker restart