Hadoop Security Guide
Also available as:
PDF
loading table of contents...
core-site.xml

Add the following information to the core-site.xml file on every host in your cluster:

Table 2.9. General core-site.xml, Knox, and Hue

Property Name

Property Value

Description

hadoop.security.authentication

kerberos

Set the authentication type for the cluster. Valid values are: simple or kerberos.

hadoop.rpc.protection

authentication; integrity; privacy

This is an [OPTIONAL] setting. If not set, defaults to authentication.

authentication = authentication only; the client and server mutually authenticate during connection setup.

integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication.

privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”.

hadoop.security.authorization

true

Enable authorization for different protocols.

hadoop.security.auth_to_local

The mapping rules. For example:

RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT

The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information.


Following is the XML for these entries:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description> Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols.</description> 
</property> 
 
<property>
    <name>hadoop.security.auth_to_local</name> 
    <value> 
    RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
    RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
    RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
    RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
    DEFAULT
    </value> 
    <description>The mapping from kerberos principal names
    to local OS user names.</description>
</property>

When using the Knox Gateway, add the following to the core-site.xml file on the master nodes host in your cluster:

Table 2.10. core-site.xml Master Node Settings -- Knox Gateway

Property Name

Property Value

Description

hadoop.proxyuser.knox.groups

users

Grants proxy privileges for Knox user.

hadoop.proxyuser.knox.hosts

$knox_host_FQDN

Identifies the Knox Gateway host.


When using Hue, add the following to the core-site.xml file on the master nodes host in your cluster:

Table 2.11. core-site.xml Master Node Settings -- Hue

Property Name

Property Value

Description

hue.kerberos.principal.shortname

hue

Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*.

hadoop.proxyuser.hue.groups

*

Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*.

hadoop.proxyuser.hue.hosts

*

hadoop.proxyuser.knox.hosts

$hue_host_FQDN

Identifies the Knox Gateway host.


Following is the XML for both Knox and Hue settings:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description>Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols. 
     </description> 
</property> 
 
<property>
     <name>hadoop.security.auth_to_local</name> 
     <value> 
     RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
     RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
     RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
     RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
     DEFAULT
     </value> 
     <description>The mapping from kerberos principal names
     to local OS user names.</description>
</property>
 
<property>
     <name>hadoop.proxyuser.knox.groups</name>
     <value>users</value>
</property>
 
<property>
     <name>hadoop.proxyuser.knox.hosts</name>
     <value>Knox.EXAMPLE.COM</value>
</property> 
HTTP Cookie Persistence

During HTTP authentication, a cookie is dropped. This is a persistent cookie that is valid across browser sessions. For clusters that require enhanced security, it is desirable to have a session cookie that gets deleted when the user closes the browser session.

You can use the following core-site.xml property to specify cookie persistence across browser sessions.

<property>
   <name>hadoop.http.authentication.cookie.persistent</name>
   <value>true</value> 
</property>

The default value for this property is false.