Configuring Apache HDFS Encryption
Also available as:
loading table of contents...

Configuring DataNode SASL

Use the following steps to configure DataNode SASL to securely run a DataNode as a non-root user

  1. Shut down the DataNode using the applicable commands in “Controlling HDP Services Manually”.
  2. Enable SASL:
    1. Configure the following properties in the /etc/hadoop/conf/hdfs-site.xml file to enable DataNode SASL:
      The property enables DataNode SASL. You can set this property to one of the following values:
      • authentication -- Establishes mutual authentication between the client and the server.
      • integrity -- in addition to authentication, it guarantees that a man-in-the-middle cannot tamper with messages exchanged between the client and the server.
      • privacy -- in addition to the features offered by authentication and integrity, it also fully encrypts the messages exchanged between the client and the server.
    2. In addition to setting a value for the property, you must set the dfs.http.policy property to HTTPS_ONLY. You must also specify ports for the DataNode RPC and HTTP Servers.
  3. Update Environment Settings. Edit the following setting in the /etc/hadoop/conf/ file, as shown below:
    #On secure datanodes, user to run the datanode as after dropping privileges

    The export HADOOP_SECURE_DN_USER=hdfs line enables the legacy security configuration, and must be set to an empty value in order for SASL to be enabled.

  4. Start the DataNode services.