• Home
  • Courses
  • Videos
  • Blog
  • Corporate
  • Contact Us

CONFIGURING KERBEROS SECURITY IN HORTONWORKS DATA PLATFORM 2.0

5/3/2016

0 Comments

 
Hadoop was originally created without any external security in mind. It was meant to be used by trusted users in a secure environment, and the constraints that were put in place were intended to prevent users from making mistakes, not from preventing malicious characters from harming the system.


This lab will help guide you in configuring security.


Step 1:
Configuring Kerberos in HDP 2.0
  1. Install the Kerberos server and client packages
sudo yum install krb5-server krb5-workstation


  1. Modify /etc/krb5.conf with the correct realm and hostnames. Here the one I used for a single Kerberos server, containing both the Key Distribution Center (KDC) and the Kerberos Admin service:


[logging]


 default = FILE:/var/log/krb5libs.log


 kdc = FILE:/var/log/krb5kdc.log


 admin_server = FILE:/var/log/kadmind.log


[libdefaults]


 default_realm = WEBAGE.DEV.COM


 dns_lookup_realm = false


 dns_lookup_kdc = false


 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true


[realms]
WEBAGE.DEV.COM = {
  kdc = vm-LINUX6-4-anastetsky
  admin_server = vm-LINUX6-4-anastetsky
 }


[domain_realm]
                        vm-centos6-4-anastetsky = spry.dev.com


Replace WEBAGE.DEV.COM with the name of the Kerberos realm.
Replace vm-cLINUX-4-anastetsky with the host name of the Kerberos server.


  1. Create the initial Kerberos database and supply a master password.


sudo kdb5_util create -s


  1. Update /var/kerberos/krb5kdc/kadm5.acl for principals who have administrative access to the Kerberos database.
*/admin@WEBAGE.DEV.COM


  1. Start the kadmin service
sudo service kadmin start 


  1. Use kadmin.local to create an admin principal (e.g. alex/admin)
addprinc alex/admin


  1. Start the Kerberos service (krb5kdc)
sudo service krb5kdc start


  1. Make sure you open the right ports:


sudo iptables -I INPUT -p udp --dport 88 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 749 -j ACCEPT 
 sudo iptables -I INPUT -p udp --dport 464 -j ACCEPT
 sudo service iptables save


When Kerbeors is configured we will use Ambari to Setup the Required Authentications.


  • Log in to your Ambari web interface as an admin user.

  • Go to Admin > Security, and click Enable Security.
Picture
  1. Click Next.​​
Picture
  1. Enter your realm name, e.g. WEBAGE.DEV.COM
Picture
​
  • Click Next.

  • Click Download CSV (host-principal-keytab-list.csv). 


Picture
0 Comments

    Author

    Write something about yourself. No need to be fancy, just an overview.

    Archives

    May 2016

    Categories

    All
    BigData
    Hadoop

    RSS Feed

ALCHEMY LEARNSOFT
Courses
Videos
Blog
Corporate
CONTACT US
​support@alchemyls.com
​1800-929-7190​
ADDRESS
​​2711, Centerville Road
Suite 400

Wilmington, DE 19808
© 2016 Alchemy LearnSoft. All Rights Reserved.