Configure Kerberos for Storm

As of Storm 0.10.0-1602, you can configure Storm to use Kerberos authentication on a secure cluster.

Prerequisites

Complete the basic storm configurations before you configure Storm to use Kerberos authentication. For details on the basic Storm configuration, see Configure Basic Storm Parameters

About this task

When you complete the following steps to configure Kerberos authentication, replace instances of <fqdn>@<realm> and <fqdn> with data that is specific to your environment. These steps must be performed on each node in the Storm cluster.

Procedure

  1. In the storm.yaml, add the following configurations: 
    #UI Authentication 
ui.filter:"org.apache.hadoop.security.authentication.server.AuthenticationFilter" 
ui.filter.params:{'type':'simple','user.name':'mapr'} 

#Worker, nimbus, supervisor JVM params. Adds Kerberos support with params from /opt/mapr/conf/mapr.login.conf . Debug mode ON. 
worker.childopts:  "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"
supervisor.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"
nimbus.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"

#Enables Kerberos authentication 
storm.thrift.transport:"backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin" 
java.security.auth.login.config:"/opt/mapr/conf/mapr.login.conf" 
java.security.krb5.conf:"/etc/krb5.conf"

#Nimbus also will translate the principal into a local user name, so that other services can use this name. To configure this for Kerberos authentication set 
storm.principal.tolocal:"backtype.storm.security.auth.KerberosPrincipalToLocal"

#We also need to inform the topology who the supervisor daemon and the nimbus daemon are running as, from a ZooKeeper perspective. 
storm.zookeeper.superACL:"sasl:mapr/<fqdn>@<realm>"

#The preferred authorization plug-in for nimbus is The SimpleACLAuthorizer. To use the SimpleACLAuthorizer, set the following: 
nimbus.authorizer:"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"

#To ensure only authorized users can perform impersonation, you should start nimbus with 
nimbus.admins: 
  -"mapr/<fqdn>@<realm>"    
  -"mapr" 
nimbus.supervisor.users:     
  -"mapr/<fqdn that runs supervisor>@<realm>"
  -"mapr" 
nimbus.users:
  -"mapr" 
storm.auth.simple-acl.admins:   
  -"mapr/<fqdn>@<realm>" 
storm.auth.simple-acl.users:  
  -"mapr/<fqdn>@<realm>" 
nimbus.impersonation.authorizer: backtype.storm.security.auth.authorizer.ImpersonationAuthorizer 
nimbus.impersonation.acl:
  mapr:  
     hosts:     
        [localhost,127.0.0.1, <fqdn>]   
     groups:
        [mapr, <fqdn>]
    NOTE: When Storm runs on more than one node in the cluster, the storm.auth.simple-acl.admins and storm.auth.simple-acl.users must specify values that are node-specific. For example, if you are configuring these properties on a node that runs the Nimbus service, the node name and users must correspond to the hostname of the Nimbus node and users available on that Nimbus node.
  2. Add the following sections to mapr.login.conf: 
    StormServer {      
  com.sun.security.auth.module.Krb5LoginModule required   
  useKeyTab=true   
  keyTab="/opt/mapr/conf/mapr.keytab"   
  storeKey=true   
  useTicketCache=false   
  principal="mapr/<fqdn>@<realm>";
};

StormClient {     
  com.sun.security.auth.module.Krb5LoginModule required   
  useKeyTab=true   
  keyTab="/opt/mapr/conf/mapr.keytab"   
  storeKey=true   
  useTicketCache=false   
  serviceName="mapr"   
  principal="mapr/<fqdn>@<realm>";
}; 

StormZooClient{
  com.mapr.security.maprsasl.MaprSecurityLoginModule required
      checkUGI=false
      authMech="MAPR-SECURITY"
      debug=true;
  org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
      refreshKrb5Config=true
      doNotPrompt=true
      useKeyTab=true
      storeKey=true;
  org.apache.hadoop.security.login.GenericOSLoginModule required;
  org.apache.hadoop.security.login.HadoopLoginModule required
      principalPriority=com.mapr.security.MapRPrincipal;
};
    NOTE: For nodes in the Storm cluster that run the Supervisor but not Nimbus or the Storm UI service, the StormServer section is not required.
  3. Copy the storm.yaml to the /home/mapr/.storm/ directory on each Nimbus and Supervisor node.
  4. Generate a new kerberos ticket. 
    kinit -kt /opt/mapr/conf/mapr.keytab -p mapr/<fqdn>@<realm>
  5. On a secure cluster, login to the cluster with the kerberos ticket. 
    
maprlogin kerberos

Results

If you want to login to the Storm UI, login with the following URL:
http://<hostname>:<UI_port>/?user.name=mapr
NOTE: In the URL above, UI_Port is the ui.port parameter that is configured the storm.yaml.