DLM Administration
Also available as:

Chapter 6. Configuring Security for DLM

DLM supports Kerberos for securing clusters. If you are working in an unsecured environment, authentication between DLM (Beacon) Engines uses basic authentication. For DLM authorization on secured clusters, there are some prerequisites that must be met. If you want to enable authorization on unsecured clusters, you must complete some manual configuration.

Configure Authorization for DLM on Secured Clusters

In addition to the security tasks you must complete for DPS, and to satisfy your environmental or corporate requirements, you must ensure the following are properly configured so that DLM replication jobs complete successfully on clusters with Kerberos enabled. No other special configuration is required for authorization and authentication with DLM on a secure cluster.

  • HDFS, Hive, Knox, and Ranger are enabled in Ambari

  • Ranger plugins are enabled for HDFS and Hive

  • Clusters to be paired in DLM have identical configurations, including security

  • Global LDAP is configured to share user-group mappings across clusters

  • If using Kerberos with different KDCs, two-way trust is configured between the KDCs

  • If using AD, there is no support for trust relationships across multiple domains or forests through domain and forest

  • HTTPS is supported in DPS Platform, but is not supported in DLM in the first release.

Enable Authorization for DLM on Unsecured Clusters

By default, authorization for DLM is not enabled in an unsecured cluster. You can enable authorization by modifying a security file available with the DLM Engine on the HDP clusters. You can also enable authorization for individual users or groups.


  1. On a node with the DLM Engine installed, navigate to $DLM_HOME/conf.

  2. Open the file beacon-security.xml.

  3. Add the following properties to the file:

  4. Enable authorization for individual users or groups by doing the following:

    1. In $DLM_HOME/conf, open the policy-store.txt file.

      The file looks similar to the following:

      ##Policy Format
      ##r-READ, w-WRITE, u-UPDATE, d-DELETE
    2. Add the configuration settings for the users you want to authorize for access to DLM, following the adminPolicy and beaconPolicy examples in the file.