HDFS/WebHDFS
ZooKeeper Usage:
hadoop-ha
-hdfs zkfc automatic NameNode failover
Default ACLs:
hadoop-ha
-world: anyone:cdrwa
Security Best Practice ACLs/Permissions and Required Steps:
hadoop-ha
-sasl: nn:cdrwa
Existing SmartSense rule recommends ACL of
sasl:nn:rwcda
for secured clusters. To set this:Set
ha.zookeeper.acl
tosasl:nn:rwcda
:Using Ambari:
Add
ha.zookeeper.acl
with valuesasl:nn:rwcda
in Configs>Advanced>Custom core-site.Manually:
Add this to core-site. xml as root user:
<property> <name>ha.zookeeper.acl</name> <value>sasl:nn:rwcda</value> </property>
Add this HADOOP_ZKFC_OPTS export:
Using Ambari:
In Configs > Advanced > Advanced hadoop-env > hadoop-env template, add the following:
export HADOOP_ZKFC_OPTS="Dzookeeper.sasl.client=true Dzookeeper.sasl.client.username=zookeeper Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}"
Manually:
Add this to hadoop-env.sh as root user:
export HADOOP_ZKFC_OPTS="Dzookeeper.sasl.client=true Dzookeeper.sasl.client.username=zookeeper Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}"
On two Namenodes, create
/etc/hadoop/conf/hdfs_jaas.conf
as root user with the following contents:Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/nn.service.keytab" principal="nn/
<HOST>@EXAMPLE.COM
"; };nn/
must be changed to the actual hostname and realm, e.g.<HOST>@EXAMPLE.COM
nn/c6401.ambari.apache.org@
. To get actual principal, on two Namenodes, run the command as hdfs user:EXAMPLE.COM
klist -k /etc/security/keytabs/nn.service.keytab
.Stop the two ZKFCs.
On one of Namenodes, run the command as hdfs user:
hdfs zkfc -formatZK -force
.Start the two ZKFCs.
One of two Namenodes may be stopped in the process, or standby Namenode may be transitioned to active one. Start the stopped namenode if any.