2.2. Kerberos Setup for Tez Views

To set up basic Kerberos for views, see "Set Up Kerberos for Ambari Server" in the Ambari Security Guide.

After you have set up basic Kerberos for the Tez View, you must set the following configuration properties:

  1. On the timeline server host, set the following values for properties in the YARN configuration for Ambari-managed clusters or the yarn-site.xml for manually deployed clusters:

     

    Table 5.3. Kerberos Settings for Tez Views

    Property

    Value

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts

    *

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users

    *

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups

    *


    For example, if the Kerberos principal used for the Ambari server is ambari-service@EXAMPLE.COM, replace ${ambari principal name} with ambari-service.

  2. Restart the Timeline Server so your configuration changes take effect.

  3. On the ResourceManager host, add the following properties to kerberize and enable proxy-user access to the ResourceManager UI:

     

    Table 5.4. In core-site.xml

    Property

    Value

    hadoop.http.authentication.type

    kerberos

    hadoop.http.filter.initializers

    org.apache.hadoop.security.AuthenticationFilterInitializer

    hadoop.http.authentication.kerberos.keytab

    <Path to keytab container HTTP principal>

    for example: <etc/security/keytabs/spnego.service.keytab>

    hadoop.http.authentication.kerberos.principal

    HTTP/_HOST@REALM

    for example: HTTP/_HOST@EXAMPLE.COM

    hadoop.http.authentication.signature.secret.file

    <Path to signature secret file for signing the authentication tokens>

    The same secret should be used for all nodes in the cluster, NameNode, DataNode, ResourceManager, NodeManager. For example: /etc/hadoop/conf/secret_http_file

    hadoop.http.authentication.cookie.domain

    <The domain to use for the HTTP cookie that stores the authentication token>

    for example: hortonworks.com. This setting is optional. The default is no domain.

    hadoop.proxyuser.${ambari principal name}.hosts

    *

    hadoop.proxyuser.${ambari principal name}.groups

    *

    hadoop.proxyuser.${ambari principal name}.users

    *


     

    Table 5.5. In yarn-site.xml

    Property

    Value

    yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled

    true

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts

    *

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups

    *

    yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users

    *

    The following settings are optional, if proxyusers settings are added in core-site.xml:

    yarn.resourcemanager.proxyuser.${ambari principal name}.hosts

    *

    yarn.resourcemanager.proxyuser.${ambari principal name}.users

    *

    yarn.resourcemanager.proxyuser.${ambari principal name}.groups

    *



loading table of contents...