core-site.xml
Add the following information to the core-site.xml file on every host in your cluster:
Table 27.3. General core-site.xml, Knox, and Hue
Property Name | Property Value | Description |
|---|---|---|
hadoop.security.authentication | kerberos | Set the authentication type for the cluster. Valid values are: simple or kerberos. |
hadoop.rpc.protection | authentication; integrity; privacy | This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication= authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”. |
hadoop.security.authorization | true | Enable authorization for different protocols. |
hadoop.security.auth_to_local | The mapping rules. For example:
| The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information. |
Following is the XML for these entries:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<description> Set the authentication for the cluster.
Valid values are: simple or kerberos.</description>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>Enable authorization for different protocols.</description>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT
</value>
<description>The mapping from kerberos principal names
to local OS user names.</description>
</property>When using the Knox Gateway, add the following to the core-site.xml file on the master nodes host in your cluster:
Table 27.4. core-site.xml Master Node Settings -- Knox Gateway
Property Name | Property Value | Description |
|---|---|---|
hadoop.proxyuser.knox.groups | users | Grants proxy privileges for knox user. |
hadoop.proxyuser.knox.hosts | $knox_host_FQDN | Identifies the Knox Gateway host. |
When using Hue, add the following to the core-site.xml file on the master nodes host in your cluster:
Table 27.5. core-site.xml Master Node Settings -- Hue
Property Name | Property Value | Description |
|---|---|---|
hue.kerberos.principal.shortname | hue | Group to which all the hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.groups | * | Group to which all the hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.hosts | * | |
hadoop.proxyuser.knox.hosts | $hue_host_FQDN | Identifies the Knox Gateway host. |
Following is the XML for both Knox and Hue settings:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<description>Set the authentication for the cluster.
Valid values are: simple or kerberos.</description>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>Enable authorization for different protocols.
</description>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT
</value>
<description>The mapping from kerberos principal names
to local OS user names.</description>
</property>
<property>
<name>hadoop.proxyuser.knox.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.knox.hosts</name>
<value>Knox.EXAMPLE.COM</value>
</property>