Configure Kerberos for Storm
As of Storm 0.10.0-1602, you can configure Storm to use Kerberos authentication on a secure cluster.
Prerequisites
About this task
Procedure
-
In the storm.yaml, add the following configurations:
#UI Authentication ui.filter:"org.apache.hadoop.security.authentication.server.AuthenticationFilter" ui.filter.params:{'type':'simple','user.name':'mapr'} #Worker, nimbus, supervisor JVM params. Adds Kerberos support with params from /opt/mapr/conf/mapr.login.conf . Debug mode ON. worker.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient" supervisor.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient" nimbus.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient" #Enables Kerberos authentication storm.thrift.transport:"backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin" java.security.auth.login.config:"/opt/mapr/conf/mapr.login.conf" java.security.krb5.conf:"/etc/krb5.conf" #Nimbus also will translate the principal into a local user name, so that other services can use this name. To configure this for Kerberos authentication set storm.principal.tolocal:"backtype.storm.security.auth.KerberosPrincipalToLocal" #We also need to inform the topology who the supervisor daemon and the nimbus daemon are running as, from a ZooKeeper perspective. storm.zookeeper.superACL:"sasl:mapr/<fqdn>@<realm>" #The preferred authorization plug-in for nimbus is The SimpleACLAuthorizer. To use the SimpleACLAuthorizer, set the following: nimbus.authorizer:"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer" #To ensure only authorized users can perform impersonation, you should start nimbus with nimbus.admins: -"mapr/<fqdn>@<realm>" -"mapr" nimbus.supervisor.users: -"mapr/<fqdn that runs supervisor>@<realm>" -"mapr" nimbus.users: -"mapr" storm.auth.simple-acl.admins: -"mapr/<fqdn>@<realm>" storm.auth.simple-acl.users: -"mapr/<fqdn>@<realm>" nimbus.impersonation.authorizer: backtype.storm.security.auth.authorizer.ImpersonationAuthorizer nimbus.impersonation.acl: mapr: hosts: [localhost,127.0.0.1, <fqdn>] groups: [mapr, <fqdn>]
NOTE: When Storm runs on more than one node in the cluster, thestorm.auth.simple-acl.admins
andstorm.auth.simple-acl.users
must specify values that are node-specific. For example, if you are configuring these properties on a node that runs the Nimbus service, the node name and users must correspond to the hostname of the Nimbus node and users available on that Nimbus node. -
Add the following sections to mapr.login.conf:
StormServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/opt/mapr/conf/mapr.keytab" storeKey=true useTicketCache=false principal="mapr/<fqdn>@<realm>"; }; StormClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/opt/mapr/conf/mapr.keytab" storeKey=true useTicketCache=false serviceName="mapr" principal="mapr/<fqdn>@<realm>"; }; StormZooClient{ com.mapr.security.maprsasl.MaprSecurityLoginModule required checkUGI=false authMech="MAPR-SECURITY" debug=true; org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional refreshKrb5Config=true doNotPrompt=true useKeyTab=true storeKey=true; org.apache.hadoop.security.login.GenericOSLoginModule required; org.apache.hadoop.security.login.HadoopLoginModule required principalPriority=com.mapr.security.MapRPrincipal; };
NOTE: For nodes in the Storm cluster that run the Supervisor but not Nimbus or the Storm UI service, the StormServer section is not required. - Copy the storm.yaml to the /home/mapr/.storm/ directory on each Nimbus and Supervisor node.
-
Generate a new kerberos ticket.
kinit -kt /opt/mapr/conf/mapr.keytab -p mapr/<fqdn>@<realm>
-
On a secure cluster, login to the cluster with the kerberos ticket.
maprlogin kerberos
Results
http://<hostname>:<UI_port>/?user.name=mapr
NOTE: In
the URL above, UI_Port is the
ui.port
parameter that is configured
the storm.yaml.