Set Up Java Authentication and Authorization Service (JAAS)
Open source components in the MapR distribution for Hadoop use the Java Authentication and
Authorization Service (JAAS) for security configuration. The
/opt/mapr/conf/mapr.login.conf
file defines JAAS configurations. The
MAPR_ECOSYSTEM_LOGIN_OPTS
environment variable in the
/opt/mapr/conf/env.sh
file specifies the JAAS configuration used by
installed open source components.
When security is enabled, the value of the MAPR_ECOSYSTEM_LOGIN_OPTS
environment variable is modified to include the hybrid JVM option for
hadoop.login
. This is equivalent to setting the
-Dhadoop.login=hybrid
flag at the command line. This setting specifies a
mixed security environment using Kerberos and internal MapR security technologies.
mapr.login.conf
file has two stanzas for hybrid
security: /**
* authenticate using hybrid of kerberos and MapR
* maprticket must already exist on file system as MapR login module
* cannot get kerberos identity from subject for implicit login.
*/
hadoop_hybrid {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
useTicketCache=true
renewTGT=true
doNotPrompt=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};
hadoop_hybrid_keytab {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
refreshKrb5Config=true
doNotPrompt=true
useKeyTab=true
storeKey=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false
useServerKey=true;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};