Add the following information to the core-site.xml file on every host in your cluster:
Table 27.3. General core-site.xml, Knox, and Hue
Property Name | Property Value | Description |
---|---|---|
hadoop.security.authentication | kerberos | Set the authentication type for the cluster. Valid values are: simple or kerberos. |
hadoop.rpc.protection | authentication; integrity; privacy | This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication= authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”. |
hadoop.security.authorization | true | Enable authorization for different protocols. |
hadoop.security.auth_to_local | The mapping rules. For example:
| The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information. |
Following is the XML for these entries:
<property> <name>hadoop.security.authentication</name> <value>kerberos</value> <description> Set the authentication for the cluster. Valid values are: simple or kerberos.</description> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> <description>Enable authorization for different protocols.</description> </property> <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT </value> <description>The mapping from kerberos principal names to local OS user names.</description> </property>
When using the Knox Gateway, add the following to the core-site.xml file on the master nodes host in your cluster:
Table 27.4. core-site.xml Master Node Settings -- Knox Gateway
Property Name | Property Value | Description |
---|---|---|
hadoop.proxyuser.knox.groups | users | Grants proxy privileges for knox user. |
hadoop.proxyuser.knox.hosts | $knox_host_FQDN | Identifies the Knox Gateway host. |
When using Hue, add the following to the core-site.xml file on the master nodes host in your cluster:
Table 27.5. core-site.xml Master Node Settings -- Hue
Property Name | Property Value | Description |
---|---|---|
hue.kerberos.principal.shortname | hue | Group to which all the hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.groups | * | Group to which all the hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.hosts | * |
|
hadoop.proxyuser.knox.hosts | $hue_host_FQDN | Identifies the Knox Gateway host. |
Following is the XML for both Knox and Hue settings:
<property> <name>hadoop.security.authentication</name> <value>kerberos</value> <description>Set the authentication for the cluster. Valid values are: simple or kerberos.</description> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> <description>Enable authorization for different protocols. </description> </property> <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT </value> <description>The mapping from kerberos principal names to local OS user names.</description> </property> <property> <name>hadoop.proxyuser.knox.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.knox.hosts</name> <value>Knox.EXAMPLE.COM</value> </property>