Configure Kerberos Authentication for Sqoop2
About this task
- Replace
<FQDN>
with the FQDN of the server. To determine this value, runhostname -f
in the command line. - Replace
<REALM>
with the realm name in thekrb5.conf
file, which is generated when you install the KDC server on the cluster.
Procedure
-
Using the
kadmin
program, run the following commands to create principals for Sqoop 2: Kerberos uses the principalHTTP/<FQDN>@<REALM>
for communication between Sqoop2 client and Sqoop2 server. The principalmapr/<FQDN>@<REALM>
is the Sqoop2 user that communicates between Sqoop2 server and MapR-FS.addprinc -randkey HTTP/<FQDN>@<REALM> addprinc -randkey mapr/<FQDN>@<REALM>
-
Using the
kadmin
program, run the following commands to create keytabs for the principals:xst -k /opt/mapr/conf/mapr.keytab HTTP/<FQDN>@<REALM> xst -k /opt/mapr/conf/mapr.keytab mapr/<FQDN>@<REALM>
-
Modify the following properties in Sqoop2 configuration file
(/opt/mapr/sqoop/sqoop-<version>/server/conf/sqoop.properties).
org.apache.sqoop.security.authentication.type=KERBEROS org.apache.sqoop.security.authentication.handler=org.apache.sqoop.security.authentication.KerberosAuthenticationHandler org.apache.sqoop.security.authentication.kerberos.principal=mapr/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.kerberos.http.principal=HTTP/<FQDN>@<REALM> org.apache.sqoop.security.authentication.kerberos.http.keytab=/opt/mapr/conf/mapr.keytab org.apache.sqoop.security.authentication.enable.doAs=true org.apache.sqoop.security.authentication.proxyuser.mapr.users=*
-
Start Sqoop2 server.
maprcli node services -name sqoop2 -action start -nodes <space delimited list of nodes>
-
Using the
kinit
program, run the following command to generate a ticket:kinit HTTP/<FQDN>@<REALM> -kt /opt/mapr/conf/mapr.keytab
-
Start the Sqoop2 client.
sudo -u mapr /opt/mapr/sqoop/sqoop-<version>/bin/sqoop.sh client