Chapter 6. Configuring Security for DLM
DLM supports Kerberos for securing clusters. If you are working in an unsecured environment, authentication between DLM (Beacon) Engines uses basic authentication. For DLM authorization on secured clusters, there are some prerequisites that must be met. If you want to enable authorization on unsecured clusters, you must complete some manual configuration.
Configure Authorization for DLM on Secured Clusters
In addition to the security tasks you must complete for DPS, and to satisfy your environmental or corporate requirements, you must ensure the following are properly configured so that DLM replication jobs complete successfully on clusters with Kerberos enabled. No other special configuration is required for authorization and authentication with DLM on a secure cluster.
HDFS, Hive, Knox, and Ranger are enabled in Ambari
Ranger plugins are enabled for HDFS and Hive
Clusters to be paired in DLM have identical configurations, including security
Global LDAP is configured to share user-group mappings across clusters
If using Kerberos with different KDCs, two-way trust is configured between the KDCs
If using AD, there is no support for trust relationships across multiple domains or forests through domain and forest
HTTPS is supported in DPS Platform, but is not supported in DLM in the first release.
Enable Authorization for DLM on Unsecured Clusters
By default, authorization for DLM is not enabled in an unsecured cluster. You can enable authorization by modifying a security file available with the DLM Engine on the HDP clusters. You can also enable authorization for individual users or groups.
Steps
On a node with the DLM Engine installed, navigate to
$DLM_HOME/conf.Open the file
beacon-security.xml.Add the following properties to the file:
<property> <name>beacon.authorization.enabled</name> <value>true</value> </property> <property> <name>beacon.authorization.policy.file</name> <value>policy-store.txt</value> </property>
Enable authorization for individual users or groups by doing the following:
In
$DLM_HOME/conf, open thepolicy-store.txtfile.The file looks similar to the following:
##Policy Format ##r-READ, w-WRITE, u-UPDATE, d-DELETE ##Policy_Name;;User_Name1:Operations_Allowed,User_Name2:Operations_Allowed;;Group_Name1:Operations_Allowed,Group_Name2: Operations_Allowed;;Resource_Type1:Resource_Name,Resource_Type2:Resource_Name ## adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;cluster:*,policy:*,schedule:*,event:*,logs:* beaconPolicy;;beacon:rwud;;ROLE_ADMIN:rwud;;cluster:*,policy:*,schedule:*,event:*,logs:*
Add the configuration settings for the users you want to authorize for access to DLM, following the
adminPolicyandbeaconPolicyexamples in the file.adminPolicy;;admin:rwud;;ROLE_ADMIN:rwud;;cluster:*,policy:*,schedule:*,event:*,logs:* beaconPolicy;;beacon:rwud;;ROLE_ADMIN:rwud;;cluster:*,policy:*,schedule:*,event:*,logs:*