Enable SPNEGO authentication for Hadoop
By default, access to the cluster's http-based services and ui is not configured to require authentication. The Web ui of HDFS, YARN, MapReduce2, HBase, Oozie, Falcon, and Storm supports Kerberos authentication.
Set up Kerberos for Ambari server
This section describes how to configure the Ambari server with Kerberos principals and keytabs to allow views to authenticate cluster components through SPNEGO
About this task
When clustering is enabled for Kerberos, component REST endpoints (such as YARN ATS components) require SPNEGO authentication.
According to the services in the cluster, Ambari Web needs to access these APIs. Similarly, some views require access to the ATS. Therefore, in order to authenticate these APIs through SPNEGO, the Ambari server needs a Kerberos principal. This section describes how to configure the Ambari server with Kerberos principals and keytabs to allow views to authenticate cluster components through SPNEGO.
process
- Create a principal for the Ambari server in KDC. For example, use kadmin. addprinc -randkey [email protected].
- Generate keytab.xst-k [email protected] for the subject.
- Put that key label on the Ambari server host. Make sure to set the file permissions so that the user running the Ambari server daemon can access the keytab file /etc/security/keytabs/ambari.server.keytab.
- Stop the ambari server. The ambari-server is stopped.
- Execute the setup-security command. ambari-server sets security.
- Select 3 to set up the Ambari kerberos JAAS configuration.
- Enter the Kerberos principal name of the Ambari server set earlier.
- Enter the keytab path of the Ambari main body.
- Restart the kenaf server. The ambari-server restarts.
Configure HTTP authentication for HDFS, YARN, MapReduce2, HBase, Oozie, Falcon, and Storm
How to configure HTTP authentication for Hadoop components in Kerberos environment.
process
- Create the key used to sign the authentication token. This file should contain random data and be placed on each host in the cluster. It should also belong to the hdfs user and belong to the hadoop group.
The permissions should be set to 440. E.g:
dd if=/dev/urandom of=/etc/security/http_secret bs=1024 count=1
chown hdfs:hadoop /etc/security/http_secret
chmod 440 /etc/security/http_secret
- In Ambari Web, browse to Services> HDFS> Configs.
- Add or modify the following configuration properties to Advanced core-site.
| Attributes | New value |
|---|---|
| hadoop.http.authentication.simple.anonymous.allowed | false |
| hadoop.http.authentication.signature.secret.file | /etc/security/http_secret |
| hadoop.http.authentication.type | kerberos |
| hadoop.http.authentication.kerberos.keytab | /etc/security/keytabs/spnego.service.keytab |
| hadoop.http.authentication.kerberos.principal | HTTP/_HOST@ EXAMPLE.COM |
| hadoop.http.filter.initializers | org.apache.hadoop.security.AuthenticationFilterInitializer |
| hadoop.http.authentication.cookie.domain | hortonworks.local |
note:
The entries in bold and italics in the table above are site-specific. The hadoop.http.authentication.cookie.domain property is based on the fully qualified domain name of the servers in the cluster. For example, if the FQDN of the NameNode is host1.hortonworks.local, hadoop.http.authentication.cookie. The domain should be set to hortonworks.local.
- For HBase, you can enable the Kerberos-authentication function of HBase Web ui by configuring SPNEGO.
a) In Ambari Web, browse to Services> HBase> Configs.
b) Add the following configuration properties to the custom hbase-site.xml file:
| Attributes | value |
|---|---|
| hbase.security.authentication.ui | kerberos |
| hbase.security.authentication | kerberos |
| hbase.security.authentication.spnego.kerberos.principal | HTTP/[email protected] |
| hbase.security.authentication.spnego.kerberos.keytab | /etc/security/keytabs/spnego.service.keytab |
| Hbase.security.authentication.spnego.kerberos.name.rules (Optional) | |
| Hbase.security.authentication.signature.secret.file(Optional) |
- Save the configuration and restart the affected business.
Enable the browser to access the web UI enabled by spnego
How to enable the browser to access the web UI enabled by spnego.
process
- Install Kerberos on the local machine (search for instructions on how to install the Kerberos client on the local environment).
- Configure the krb5.conf file on your local machine. To test on an HDP cluster, copy the /etc/krb5.conf file from one of the cluster hosts to /etc/krb5.conf on the local machine. Create your own button and run kinit. To test on the HDP cluster, copy the "ambari_qa" keytab file from /etc/security/keytabs/smokeuser.headless. keytab, and then run the following command:
kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
3. Use Kerberos SPNEGO to enable your web browser:
a) Chrome on Mac:
3. Run the following command in the same shell where you previously ran the kinit command to launch Chrome:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --
auth-server-whitelist="*.hwx.site"
Replace .hwx. Have its own domain name.
- If the following error occurs, please try to close and restart all Chrome browser windows.
b) For Firefox: - Navigate to the about:config URL (type about:config in the address bar and press enter).
- Scroll down to network.negotiate-auth. Change its value to the cluster domain name (for example, .hwx.site).
- Modify the value of network.negotiate-auth.delegation-uri to the cluster domain name (for example, hwx.site).