Hadoop was originally created without any external security in mind. It was meant to be used by trusted users in a secure environment, and the constraints that were put in place were intended to prevent users from making mistakes, not from preventing malicious characters from harming the system.
This lab will help guide you in configuring security.
Step 1:
Configuring Kerberos in HDP 2.0
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WEBAGE.DEV.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WEBAGE.DEV.COM = {
kdc = vm-LINUX6-4-anastetsky
admin_server = vm-LINUX6-4-anastetsky
}
[domain_realm]
vm-centos6-4-anastetsky = spry.dev.com
Replace WEBAGE.DEV.COM with the name of the Kerberos realm.
Replace vm-cLINUX-4-anastetsky with the host name of the Kerberos server.
sudo kdb5_util create -s
sudo iptables -I INPUT -p udp --dport 88 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 749 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 464 -j ACCEPT
sudo service iptables save
When Kerbeors is configured we will use Ambari to Setup the Required Authentications.
This lab will help guide you in configuring security.
Step 1:
Configuring Kerberos in HDP 2.0
- Install the Kerberos server and client packages
- Modify /etc/krb5.conf with the correct realm and hostnames. Here the one I used for a single Kerberos server, containing both the Key Distribution Center (KDC) and the Kerberos Admin service:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WEBAGE.DEV.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WEBAGE.DEV.COM = {
kdc = vm-LINUX6-4-anastetsky
admin_server = vm-LINUX6-4-anastetsky
}
[domain_realm]
vm-centos6-4-anastetsky = spry.dev.com
Replace WEBAGE.DEV.COM with the name of the Kerberos realm.
Replace vm-cLINUX-4-anastetsky with the host name of the Kerberos server.
- Create the initial Kerberos database and supply a master password.
sudo kdb5_util create -s
- Update /var/kerberos/krb5kdc/kadm5.acl for principals who have administrative access to the Kerberos database.
- Start the kadmin service
- Use kadmin.local to create an admin principal (e.g. alex/admin)
- Start the Kerberos service (krb5kdc)
- Make sure you open the right ports:
sudo iptables -I INPUT -p udp --dport 88 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 749 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 464 -j ACCEPT
sudo service iptables save
When Kerbeors is configured we will use Ambari to Setup the Required Authentications.
- Log in to your Ambari web interface as an admin user.
- Go to Admin > Security, and click Enable Security.
- Click Next.
- Enter your realm name, e.g. WEBAGE.DEV.COM
- Click Next.
- Click Download CSV (host-principal-keytab-list.csv).