core-site.xml

Add the following information to the core-site.xml file on every host in your cluster:

Table 2.10. General core-site.xml, Knox, and Hue

Property Name	Property Value	Description
hadoop.security.authentication	kerberos	Set the authentication type for the cluster. Valid values are: simple or kerberos.
hadoop.rpc.protection	authentication; integrity; privacy	This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication = authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”.
hadoop.security.authorization	true	Enable authorization for different protocols.
hadoop.security.auth_to_local	The mapping rules. For example: `RULE:[2:$1@$0]([jt]t@.EXAMPLE.COM)s/./mapred/ RULE:[2:$1@$0]([nd]n@.EXAMPLE.COM)s/./hdfs/ RULE:[2:$1@$0](hm@.EXAMPLE.COM)s/./hbase/ RULE:[2:$1@$0](rs@.EXAMPLE.COM)s/./hbase/ DEFAULT`	The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information.

Following is the XML for these entries:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description> Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols.</description> 
</property> 
 
<property>
    <name>hadoop.security.auth_to_local</name> 
    <value> 
    RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
    RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
    RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
    RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
    DEFAULT
    </value> 
    <description>The mapping from kerberos principal names
    to local OS user names.</description>
</property>

	Note
	Phoenix Query Server sites: See Configuring Phoenix Query Server for an additional required property setting in the `core-site.xml` file to complete Kerberos security configuration.

When using the Knox Gateway, add the following to the core-site.xml file on the master nodes host in your cluster:

Table 2.11. core-site.xml Master Node Settings -- Knox Gateway

Property Name	Property Value	Description
hadoop.proxyuser.knox.groups	users	Grants proxy privileges for Knox user.
hadoop.proxyuser.knox.hosts	$knox_host_FQDN	Identifies the Knox Gateway host.

When using Hue, add the following to the core-site.xml file on the master nodes host in your cluster:

Table 2.12. core-site.xml Master Node Settings -- Hue

Property Name	Property Value	Description
hue.kerberos.principal.shortname	hue	Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*.
hadoop.proxyuser.hue.groups	*	Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*.
hadoop.proxyuser.hue.hosts	*
hadoop.proxyuser.knox.hosts	$hue_host_FQDN	Identifies the Knox Gateway host.

Following is the XML for both Knox and Hue settings:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description>Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols. 
     </description> 
</property> 
 
<property>
     <name>hadoop.security.auth_to_local</name> 
     <value> 
     RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
     RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
     RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
     RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
     DEFAULT
     </value> 
     <description>The mapping from kerberos principal names
     to local OS user names.</description>
</property>
 
<property>
     <name>hadoop.proxyuser.knox.groups</name>
     <value>users</value>
</property>
 
<property>
     <name>hadoop.proxyuser.knox.hosts</name>
     <value>Knox.EXAMPLE.COM</value>
</property>

HTTP Cookie Persistence

During HTTP authentication, a cookie is dropped. This is a persistent cookie that is valid across browser sessions. For clusters that require enhanced security, it is desirable to have a session cookie that gets deleted when the user closes the browser session.

You can use the following core-site.xml property to specify cookie persistence across browser sessions.

<property>
   <name>hadoop.http.authentication.cookie.persistent</name>
   <value>true</value> 
</property>

The default value for this property is false.

​core-site.xml

​HTTP Cookie Persistence

core-site.xml

HTTP Cookie Persistence