core-site.xml
Add the following information to the core-site.xml
file on
every host in your cluster:
Table 2.3. General core-site.xml, Knox, and Hue
Property Name |
Property Value |
Description |
---|---|---|
hadoop.security.authentication |
kerberos |
Set the authentication type for the cluster. Valid values are: simple or kerberos. |
hadoop.rpc.protection |
authentication; integrity; privacy |
This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication = authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”. |
hadoop.security.authorization |
true |
Enable authorization for different protocols. |
hadoop.security.auth_to_local |
The mapping rules. For example:
|
The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information. |
Following is the XML for these entries:
<property> <name>hadoop.security.authentication</name> <value>kerberos</value> <description> Set the authentication for the cluster. Valid values are: simple or kerberos.</description> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> <description>Enable authorization for different protocols.</description> </property> <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT </value> <description>The mapping from kerberos principal names to local OS user names.</description> </property>
When using the Knox Gateway, add the following to the
core-site.xml
file on the master nodes host in your
cluster:
Table 2.4. core-site.xml Master Node Settings -- Knox Gateway
Property Name |
Property Value |
Description |
---|---|---|
hadoop.proxyuser.knox.groups |
users |
Grants proxy privileges for Knox user. |
hadoop.proxyuser.knox.hosts |
$knox_host_FQDN |
Identifies the Knox Gateway host. |
When using Hue, add the following to the core-site.xml
file on the master nodes host in your cluster:
Table 2.5. core-site.xml Master Node Settings -- Hue
Property Name |
Property Value |
Description |
---|---|---|
hue.kerberos.principal.shortname |
hue |
Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.groups |
* |
Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*. |
hadoop.proxyuser.hue.hosts |
* | |
hadoop.proxyuser.knox.hosts |
$hue_host_FQDN |
Identifies the Knox Gateway host. |
Following is the XML for both Knox and Hue settings:
<property> <name>hadoop.security.authentication</name> <value>kerberos</value> <description>Set the authentication for the cluster. Valid values are: simple or kerberos.</description> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> <description>Enable authorization for different protocols. </description> </property> <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT </value> <description>The mapping from kerberos principal names to local OS user names.</description> </property> <property> <name>hadoop.proxyuser.knox.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.knox.hosts</name> <value>Knox.EXAMPLE.COM</value> </property>
HTTP Cookie Persistence
During HTTP authentication, a cookie is dropped. This is a persistent cookie that is valid across browser sessions. For clusters that require enhanced security, it is desirable to have a session cookie that gets deleted when the user closes the browser session.
You can use the following core-site.xml
property to specify
cookie persistence across browser sessions.
<property> <name>hadoop.http.authentication.cookie.persistent</name> <value>true</value> </property>
The default value for this property is false
.