Securing Open Source Components
Describes how to use JAAS to configure security for open source components.
Open source components on a MapR cluster have several options for security. See the Ecosystem Guide for component-specific instructions.
General Security Configuration with JAAS
Open source components in the MapR Converged Data Platform use the Java Authentication
and Authorization Service (JAAS) for security configuration. The
/opt/mapr/conf/mapr.login.conf
file defines JAAS
configurations. The MAPR_ECOSYSTEM_LOGIN_OPTS
environment variable
in the /opt/mapr/conf/env.sh
file specifies the JAAS configuration
used by installed open source components. When security is enabled, the value of the
MAPR_ECOSYSTEM_LOGIN_OPTS
environment variable is modified to
include the hybrid
JVM option for hadoop.login
.
This is equivalent to setting the -Dhadoop.login=hybrid
flag at the
command line.This setting specifies a mixed security environment using Kerberos and
internal MapR security technologies.
The mapr.login.conf
file has two stanzas for hybrid security:
/**
* authenticate using hybrid of kerberos and MapR
* maprticket must already exist on file system as MapR login module
* cannot get kerberos identity from subject for implicit login.
*/
hadoop_hybrid {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
useTicketCache=true
renewTGT=true
doNotPrompt=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};
hadoop_hybrid_keytab {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
refreshKrb5Config=true
doNotPrompt=true
useKeyTab=true
storeKey=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false
useServerKey=true;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};