If you are using TLS (formerly SSL) wire encryption, you must configure DLM so that
service requests are proxied through a Knox Gateway. This limits access to cluster services,
providing a more secure environment. All cluster services such as Hive, Ambari, Ranger, Atlas,
etc. are accessed through a Knox proxy by DP Platform and DLM Engine.
To use wire encryption with DLM, you must configure TLS on
each cluster running DLM Engine so that the engine can authenticate and communicate with
Knox across all paired clusters.
-
In a terminal, navigate to the Knox topologies directory.
cd /etc/knox/conf/topologies
-
Log in as root and create a beacon-preauth.xml file.
Example
beacon-preauth.xml topology file:
You can copy
and paste this sample content into your file and modify as
needed.
<topology>
<gateway>
<provider>
<role>federation</role>
<name>HeaderPreAuth</name>
<enabled>true</enabled>
<param>
<name>
preauth.custom.header
</name>
<value>
BEACON_USER
</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
</provider>
<!-- currently validating this acl for authorization -->
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
<param>
<name>knoxtoken.acl</name>
<value>beacon;*;*</value>
</param>
</provider>
</gateway>
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>120000</value>
</param>
<param>
<name>knox.token.client.cert.required</name>
<value>true</value>
</param>
<param>
<name>knox.token.allowed.principals</name>
<value><semicolon separated list of beacon dn names></value>
</param>
<param>
<name>knox.token.client.data</name>
<value>cookie.name=hadoop-jwt</value>
</param>
</service>
</topology>
The DN to be configured in knox.token.allowed.principals
is the
DN in the TLS certificate of each beacon host.
Example DN: CN=beacon.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA,
C=US
-
Change ownership of the beacon-preauth.xml file to Knox.
chown knox:hadoop beacon-preauth.xml
-
Open the DPS proxy topology file.
The dp-proxy.xml file was created during installation of the
DPS Instance.
-
Ensure the following service definitions are in the file and configured with the
correct FQDN host names.
| Important |
---|
All DLM Engine servers that are registered with DPS must be
included in this file. As new wire-encrypted clusters are registered, they must be
added to this file manually. |
<service>
<role>BEACON</role>
<url>https://<dlm_engine_host>:25443</url>
</service>
<service>
<role>HIVE</role>
<url>https://<hiveserver_host>:10001/cliservice</url>
</service>
| Tip |
---|
You can get the HiveServer host from the
default.xml file in the topology directory. |
-
Create the truststore password entry using knox cli:
/usr/hdp/current/knox-server/bin/knoxcli.sh create-alias
gateway-truststore-password --value <password>
The default JRE cacerts
password is “changeit” .
-
Repeat this task on all cluster nodes that have Knox Gateway enabled.