To set up basic Kerberos for views, see "Set Up Kerberos for Ambari Server" in the Ambari Security Guide.
After you have set up basic Kerberos for the Tez View, you must set the following configuration properties:
On the timeline server host, set the following values for properties in the YARN configuration for Ambari-managed clusters or the
yarn-site.xml
for manually deployed clusters:Table 5.3. Kerberos Settings for Tez Views
Property
Value
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts
*
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users
*
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups
*
For example, if the Kerberos principal used for the Ambari server is
ambari-service@EXAMPLE.COM
, replace${ambari principal name}
withambari-service
.Restart the Timeline Server so your configuration changes take effect.
On the ResourceManager host, add the following properties to kerberize and enable proxy-user access to the ResourceManager UI:
Table 5.4. In core-site.xml
Property
Value
hadoop.http.authentication.type
kerberos
hadoop.http.filter.initializers
org.apache.hadoop.security.AuthenticationFilterInitializer
hadoop.http.authentication.kerberos.keytab
<Path to keytab container HTTP principal>
for example: <etc/security/keytabs/spnego.service.keytab>
hadoop.http.authentication.kerberos.principal
HTTP/_HOST@REALM
for example: HTTP/_HOST@EXAMPLE.COM
hadoop.http.authentication.signature.secret.file
<Path to signature secret file for signing the authentication tokens>
The same secret should be used for all nodes in the cluster, NameNode, DataNode, ResourceManager, NodeManager. For example: /etc/hadoop/conf/secret_http_file
hadoop.http.authentication.cookie.domain
<The domain to use for the HTTP cookie that stores the authentication token>
for example: hortonworks.com. This setting is optional. The default is no domain.
hadoop.proxyuser.${ambari principal name}.hosts
*
hadoop.proxyuser.${ambari principal name}.groups
*
hadoop.proxyuser.${ambari principal name}.users
*
Table 5.5. In yarn-site.xml
Property
Value
yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled
true
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts
*
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups
*
yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users
*
The following settings are optional, if proxyusers settings are added in core-site.xml: yarn.resourcemanager.proxyuser.${ambari principal name}.hosts
*
yarn.resourcemanager.proxyuser.${ambari principal name}.users
*
yarn.resourcemanager.proxyuser.${ambari principal name}.groups
*