Enabling and Disabling Security Features on Your Cluster
Describes how to enable and disable wire-level security on the nodes of your cluster.
Enabling Wire-Level Security
Wire-level security encrypts data transmission between the nodes in your cluster.
WARNING: Security features are turned off by default.
When you set up a cluster, run the configure.sh
script on each node that you want to add to the cluster.
To enable security for the cluster, follow these steps in order:
- If the cluster is running, shut it down.
- Run the
configure.sh
script with the-secure -genkeys
options on the first CLDB node in your cluster./opt/mapr/server/configure.sh -N <cluster_name> -secure -genkeys -Z <Zookeeper_node_list> -C <CLDB_node_list>
Where both<Zookeeper_node_list>
and<CLDB_node_list>
have the formhostname[:port_no][,hostname[:port_no]...].
NOTE: You must runconfigure.sh -genkeys
once on one CLDB node, since the resulting files must be copied to other nodes.This command generates four files in the
/opt/mapr/conf
directory:cldb.key
maprserverticket
ssl_keystore
ssl_truststore
- Copy the
cldb.key
file to any node that has the CLDB or Zookeeper service installed. - Copy the
maprserverticket
,ssl_keystore
, andssl_truststore
files to the/opt/mapr/conf
directory of every node in the cluster. - Verify that the files from the previous step are owned by the user that runs cluster
services. This user is
mapr
by default. Also, themaprserverticket
andssl_keystore
files must have their UNIX permission-mode bits set to600
, and thessl_truststore
file must be readable to all users. - Run configure.sh -secure on each node you want to add to the cluster. The -secure option indicates that the node is secure. You must also do this on any nodes that you add to the cluster in the future.
- Copy the
ssl_truststore
file to any client nodes outside the cluster.NOTE: If you runconfigure.sh -secure
on a node before you copy the necessary files to that node, the command fails. - Log in as the mapr superuser using the maprlogin command:
maprlogin password
(in this command,password
is literal text). - Run the
hadoop mfs -setnetworkencryption on <object>
command for every table, file, and directory in MapR-FS whose traffic you want to encrypt.NOTE: The network encryption setting is inherited by new objects. Once encryption is turned on for a directory, all new directories, files, and tables created under that directory are automatically encrypted. - If clients will connect to multiple secure clusters, merge the
ssl_truststore
files with the/opt/mapr/server/manageSSLKeys.sh
tool. See Setting Up the Client for more information on MapR clients.
Disabling Wire-Level Security
To disable security features for your cluster:
- If the cluster is running, shut it down.
- On all nodes, run the
configure.sh
script with the-unsecure
option and specify the CLDB and ZooKeeper nodes.configure.sh -unsecure -C <CLDB_Node> -Z <ZK_Node>
- Start the cluster.