Apache Ambari Security
Also available as:
PDF
loading table of contents...

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

2018-05-17

Abstract

The Hortonworks Data Platform, powered by Apache Hadoop, is a massively scalable and 100% open source platform for storing, processing and analyzing large volumes of data. It is designed to deal with data from many sources and formats in a very quick, easy and cost-effective manner. The Hortonworks Data Platform consists of the essential set of Apache Hadoop projects including MapReduce, Hadoop Distributed File System (HDFS), HCatalog, Pig, Hive, HBase, ZooKeeper and Ambari. Hortonworks is the major contributor of code and patches to many of these projects. These projects have been integrated and tested as part of the Hortonworks Data Platform release process and installation and configuration tools have also been included.

Unlike other providers of platforms built using Apache Hadoop, Hortonworks contributes 100% of our code back to the Apache Software Foundation. The Hortonworks Data Platform is Apache-licensed and completely open source. We sell only expert technical support, training and partner-enablement services. All of our technology is, and will remain free and open source. Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For more information on Hortonworks services, please visit either the Support or Training page. Feel free to Contact Us directly to discuss your specific needs.


Contents

1. Ambari Security Guide
2. Configuring Ambari and Hadoop for Kerberos
Kerberos Overview
Kerberos Principals
Installing and Configuring the KDC
Use an Existing MIT KDC
Use an Existing Active Directory
Use Manual Kerberos Setup
(Optional) Install a new MIT KDC
Enabling Kerberos Security
Installing the JCE
Running the Kerberos Security Wizard
Kerberos Client Packages
Disabling Kerberos Security
Customizing the Attribute Template
Managing Admin Credentials
3. Advanced Security Options for Ambari
Configuring Ambari Server For Kerberos Authentication
Configuring Ambari for LDAP or Active Directory Authentication
Setting Up LDAP User Authentication
Configure Ambari to use LDAP Server
Synchronizing LDAP Users and Groups
Specific Set of Users and Groups
Existing Users and Groups
All Users and Groups
Setting Up Hadoop Group Mapping for LDAP/AD
Configure Hadoop Group Mapping for LDAP/AD Using SSSD (Recommended)
Configure Hadoop Group Mapping in core-site.xml
Manually Create the Users and Groups in the Linux Environment
Configuring Ambari for Non-Root
How to Configure Ambari Server for Non-Root
How to Configure an Ambari Agent for Non-Root
Optional: Encrypt Database and LDAP Passwords
Reset Encryption
Remove Encryption Entirely
Change the Current Master Key
Optional: Set Up SSL for Ambari
Optional: Ambari Web Inactivity Timeout
Optional: Set Up Ambari Server for Kerberos
Set Up Truststore for Ambari Server
Optional: Set Up Two-Way SSL Between Ambari Server and Ambari Agents
Optional: Recreating the Ambari SSL Certificate Authority
Optional: Configure Ciphers and Protocols for Ambari Server
Optional: Storing Component Passwords In Credential Store
4. Enabling SPNEGO Authentication for Hadoop
Configure Ambari Server for Authenticated HTTP
Configuring HTTP Authentication for HDFS, YARN, MapReduce2, HBase, Oozie, Falcon and Storm
Enabling Browser Access to a SPNEGO-enabled Web UI