Configuring Storm for Kerberos Over Ambari
Also available as:
PDF

Chapter 2. Designating a Storm Client Node

At this point in the configuration process there is no notion of a Storm client node (you won’t be able to select “client” via Ambari).

To specify a Storm client node, choose one of the following two approaches, described in the following subsections:

  • Dedicate or use an existing independent gateway node as a storm client

  • Use one of your existing storm nodes (such as nimbus, supervisors, or drpc) as a client. Choose this option if you prefer not to add a gateway node for Storm.

Dedicate or Use an Existing Gateway Node

To dedicate or use an existing gateway node (edge node):

  1. Install the storm package on the node:

    sudo yum install storm_<version>

    For example, for HDP 2.3:

    sudo yum install storm_2_3*

  2. Create a file at /etc/storm/conf/client_jaas.conf, and add the following entry to it:

    StormClient {
        com.sun.security.auth.module.Krb5LoginModule required
        useTicketCache=true
        renewTicket=true
        serviceName="nimbus"
        };
  3. Add the following settings to the /etc/storm/conf/storm.yaml configuration file:

    nimbus.seeds: <nimbus-host-array>
    nimbus.thrift.port: 6667
    java.security.auth.login.config: "/etc/storm/conf/client_jaas.conf"
    storm.thrift.transport: "backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin"

    where <nimbus-host-array> is an array of hostnames running Nimbus. (The value should come from /etc/storm/conf/storm.yaml.) For example:

       nimbus.seeds: ["c6401.ambari.apache.org", "c6402.ambari.apache.org"]

Use an Existing Storm Node

To use one of your existing Storm nodes (such as nimbus, supervisors, or drpc) as a Storm client node, complete the following steps for every user who requires Storm access (for example, to run Storm commands or deploy topologies):

  1. Create a .storm directory in the user's home directory. For example, user john should have a directory called /home/john/.storm/.

  2. Add the following settings to the /etc/storm/conf/storm.yaml configuration file:

    nimbus.seeds: <nimbus-host-array>
    nimbus.thrift.port: 6667
    java.security.auth.login.config: "/etc/storm/conf/client_jaas.conf"
    storm.thrift.transport: "backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin"

    where <nimbus-host-array> is an array of hostnames running Nimbus (the value should come from /etc/storm/conf/storm.yaml). For example:

       nimbus.seeds: ["c6401.ambari.apache.org", "c6402.ambari.apache.org"]

As mentioned earlier, repeat these steps for every user who requires Storm access.

Running Storm Commands

After configuring the client/gateway node, run kinit (with the principal's keytab) before issuing Storm commands.