Kerberos Setup for Tez Views

To set up basic Kerberos for views, see "Set Up Kerberos for Ambari Server" in the Ambari Security Guide.

After you have set up basic Kerberos for the Tez View, you must set the following configuration properties:

On the timeline server host, set the following values for properties in the YARN configuration for Ambari-managed clusters or the yarn-site.xml for manually deployed clusters:

Table 5.3. Kerberos Settings for Tez Views

Property	Value
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts`	`*`
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users`	`*`
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups`	`*`

For example, if the Kerberos principal used for the Ambari server is ambari-service@EXAMPLE.COM, replace ${ambari principal name} with ambari-service.

Restart the Timeline Server so your configuration changes take effect.

On the ResourceManager host, add the following properties to kerberize and enable proxy-user access to the ResourceManager UI:

Table 5.4. In core-site.xml

Property	Value
`hadoop.http.authentication.type`	`kerberos`
`hadoop.http.filter.initializers`	`org.apache.hadoop.security.AuthenticationFilterInitializer`
`hadoop.http.authentication.kerberos.keytab`	`<Path to keytab container HTTP principal>` for example: <etc/security/keytabs/spnego.service.keytab>
`hadoop.http.authentication.kerberos.principal`	`HTTP/_HOST@REALM` for example: HTTP/_HOST@EXAMPLE.COM
`hadoop.http.authentication.signature.secret.file`	`<Path to signature secret file for signing the authentication tokens>` The same secret should be used for all nodes in the cluster, NameNode, DataNode, ResourceManager, NodeManager. For example: /etc/hadoop/conf/secret_http_file
`hadoop.http.authentication.cookie.domain`	`<The domain to use for the HTTP cookie that stores the authentication token>` for example: hortonworks.com. This setting is optional. The default is no domain.
`hadoop.proxyuser.${ambari principal name}.hosts`	`*`
`hadoop.proxyuser.${ambari principal name}.groups`	`*`
`hadoop.proxyuser.${ambari principal name}.users`	`*`

Table 5.5. In yarn-site.xml

Property	Value
`yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled`	`true`
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.hosts`	`*`
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.groups`	`*`
`yarn.timeline-service.http-authentication.proxyuser.${ambari principal name}.users`	`*`
The following settings are optional, if proxyusers settings are added in core-site.xml:
`yarn.resourcemanager.proxyuser.${ambari principal name}.hosts`	`*`
`yarn.resourcemanager.proxyuser.${ambari principal name}.users`	`*`
`yarn.resourcemanager.proxyuser.${ambari principal name}.groups`	`*`

​Kerberos Setup for Tez Views

Kerberos Setup for Tez Views