core-site.xml

Reference material for adding security information to the core-site.xml configuration file when setting up Kerberos for non-Ambari clusters.

Add the following information to the core-site.xml file on every host in your cluster:

Table 1. General core-site.xml and Knox
Property Name	Property Value	Description
hadoop.security.authentication	kerberos	Set the authentication type for the cluster. Valid values are: simple or kerberos.
hadoop.rpc.protection	authentication; integrity; privacy	This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication = authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”.
hadoop.security.authorization	true	Enable authorization for different protocols.
hadoop.security.auth_to_local	The mapping rules. For example: `RULE:[2:$1@$0]([jt]t@.EXAMPLE.COM)s/./mapred/ RULE:[2:$1@$0]([nd]n@.EXAMPLE.COM)s/./hdfs/ RULE:[2:$1@$0](hm@.EXAMPLE.COM)s/./hbase/ RULE:[2:$1@$0](rs@.EXAMPLE.COM)s/./hbase/ DEFAULT`	The mapping from Kerberos principal names to local OS user names. “Create Mappings Between Principals and UNIX Usernames” for more information.

Following is the XML for these entries:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description> Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols.</description> 
</property> 
 
<property>
    <name>hadoop.security.auth_to_local</name> 
    <value> 
    RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
    RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
    RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
    RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
    DEFAULT
    </value> 
    <description>The mapping from kerberos principal names
    to local OS user names.</description>
</property>

When using the Knox Gateway, add the following to the core-site.xml file on the master nodes host in your cluster:

Table 2. core-site.xml Master Node Settings -- Knox Gateway
Property Name	Property Value	Description
hadoop.proxyuser.knox.groups	users	Grants proxy privileges for Knox user.
hadoop.proxyuser.knox.hosts	$knox_host_FQDN	Identifies the Knox Gateway host.

Following is the XML for Knox settings:

<property> 
     <name>hadoop.security.authentication</name> 
     <value>kerberos</value> 
     <description>Set the authentication for the cluster. 
     Valid values are: simple or kerberos.</description> 
</property> 
 
<property> 
     <name>hadoop.security.authorization</name> 
     <value>true</value> 
     <description>Enable authorization for different protocols. 
     </description> 
</property> 
 
<property>
     <name>hadoop.security.auth_to_local</name> 
     <value> 
     RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ 
     RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ 
     RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ 
     RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ 
     DEFAULT
     </value> 
     <description>The mapping from kerberos principal names
     to local OS user names.</description>
</property>
 
<property>
     <name>hadoop.proxyuser.knox.groups</name>
     <value>users</value>
</property>