Hadoop Security Guide
Also available as:
PDF
loading table of contents...
yarn-site.xml

You must add the following information to the yarn-site.xml file on every host in your cluster:

Table 2.13. yarn-site.xml Property Settings

Property

Value

Description

yarn.resourcemanager.principal

yarn/localhost@EXAMPLE.COM

The Kerberos principal for the ResourceManager.

yarn.resourcemanager.keytab

/etc/krb5.keytab

The keytab for the ResourceManager.

yarn.nodemanager.principal

yarn/localhost@EXAMPLE.COM

The Kerberos principal for the NodeManager.

yarn.nodemanager.keytab

/etc/krb5.keytab

The keytab for the NodeManager.

yarn.nodemanager.container-executor.class

org.apache.hadoop.yarn.server. nodemanager.LinuxContainer Executor

The class that will execute (launch) the containers.

yarn.nodemanager.linux-container-executor.path

hadoop-3.0.0-SNAPSHOT/bin/container-executor

The path to the Linux container executor.

yarn.nodemanager.linux-container-executor.group

hadoop

A special group (e.g., hadoop) with executable permissions for the container executor, of which the NodeManager UNIX user is the group member and no ordinary application user is. If any application user belongs to this special group, security will be compromised. This special group name should be specified for the configuration property.

yarn.timeline-service.principal

yarn/localhost@EXAMPLE.COM

The Kerberos principal for the Timeline Server.

yarn.timeline-service.keytab

/etc/krb5.keytab

The Kerberos keytaba for the Timeline Server.

yarn.resourcemanager.webapp. delegation-token-auth-filter.enabled

true

Flag to enable override of the default Kerberos authentication filter with the RM authentication filter to allow authentication using delegation tokens (fallback to Kerberos if the tokens are missing). Only applicable when the http authentication type is Kerberos.

yarn.timeline-service.http-authentication.type

kerberos

Defines authentication used for the Timeline Server HTTP endpoint. Supported values are: simple | kerberos | $AUTHENTICATION_HANDLER _CLASSNAME

yarn.timeline-service.http-authentication.kerberos.principal

HTTP/localhost@EXAMPLE.COM

The Kerberos principal to be used for the Timeline Server HTTP endpoint.

yarn.timeline-service.http-authentication.kerberos.keytab

authentication.kerberos.keytab /etc/krb5.keytab

The Kerberos keytab to be used for the Timeline Server HTTP endpoint.


Following is the XML for these entries:

<property>
     <name>yarn.resourcemanager.principal</name>
     <value>yarn/localhost@EXAMPLE.COM</value>
</property>
 
<property>
     <name>yarn.resourcemanager.keytab</name>
     <value>/etc/krb5.keytab</value>
</property>
 
<property>
     <name>yarn.nodemanager.principal</name>
     <value>yarn/localhost@EXAMPLE.COM</value>
</property>
 
<property>
     <name>yarn.nodemanager.keytab</name>
     <value>/etc/krb5.keytab</value>
</property>
 
<property>
     <name>yarn.nodemanager.container-executor.class</name>
     <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
 
<property>
     <name>yarn.nodemanager.linux-container-executor.path</name>
     <value>hadoop-3.0.0-SNAPSHOT/bin/container-executor</value>
</property>
 
<property>
     <name>yarn.nodemanager.linux-container-executor.group</name>
     <value>hadoop</value>
</property>
 
<property>
     <name>yarn.timeline-service.principal</name>
     <value>yarn/localhost@EXAMPLE.COM</value>
</property>
 
<property>
     <name>yarn.timeline-service.keytab</name>
     <value>/etc/krb5.keytab</value>
</property>
 
<property>
     <name>yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled</name>
     <value>true</value>
</property>
 
<property>
     <name>yarn.timeline-service.http-authentication.type</name>
     <value>kerberos</value>
</property>
 
<property>
     <name>yarn.timeline-service.http-authentication.kerberos.principal</name>
     <value>HTTP/localhost@EXAMPLE.COM</value>
</property>
 
<property>
     <name>yarn.timeline-service.http-authentication.kerberos.keytab</name>
     <value>/etc/krb5.keytab</value>
</property>