yarn-site.xml
Reference material for adding security information to the
yarn-site.xml
configuration file when setting up Kerberos for non-Ambari
clusters.
You must add the following information to the yarn-site.xml
file on every host in your cluster:
Property |
Value |
Description |
---|---|---|
yarn.resourcemanager.principal |
yarn/localhost@EXAMPLE.COM |
The Kerberos principal for the ResourceManager. |
yarn.resourcemanager.keytab |
/etc/krb5.keytab |
The keytab for the ResourceManager. |
yarn.nodemanager.principal |
yarn/localhost@EXAMPLE.COM |
The Kerberos principal for the NodeManager. |
yarn.nodemanager.keytab |
/etc/krb5.keytab |
The keytab for the NodeManager. |
yarn.nodemanager.container-executor.class |
org.apache.hadoop.yarn.server. nodemanager.LinuxContainer Executor |
The class that will execute (launch) the containers. |
yarn.nodemanager.linux-container-executor.path |
hadoop-3.0.0-SNAPSHOT/bin/container-executor |
The path to the Linux container executor. |
yarn.nodemanager.linux-container-executor.group |
hadoop |
A special group (e.g., hadoop) with executable permissions for the container executor, of which the NodeManager UNIX user is the group member and no ordinary application user is. If any application user belongs to this special group, security will be compromised. This special group name should be specified for the configuration property. |
yarn.timeline-service.principal |
yarn/localhost@EXAMPLE.COM |
The Kerberos principal for the Timeline Server. |
yarn.timeline-service.keytab |
/etc/krb5.keytab |
The Kerberos keytab for the Timeline Server. |
yarn.resourcemanager.webapp. delegation-token-auth-filter.enabled |
true |
Flag to enable override of the default Kerberos authentication filter with the RM authentication filter to allow authentication using delegation tokens (fallback to Kerberos if the tokens are missing). Only applicable when the http authentication type is Kerberos. |
yarn.timeline-service.http-authentication.type |
kerberos |
Defines authentication used for the Timeline Server HTTP endpoint. Supported values are: simple | kerberos | $AUTHENTICATION_HANDLER _CLASSNAME |
yarn.timeline-service.http-authentication.kerberos.principal |
HTTP/localhost@EXAMPLE.COM |
The Kerberos principal to be used for the Timeline Server HTTP endpoint. |
yarn.timeline-service.http-authentication.kerberos.keytab |
authentication.kerberos.keytab /etc/krb5.keytab |
The Kerberos keytab to be used for the Timeline Server HTTP endpoint. |
Following is the XML for these entries:
<property>
<name>yarn.resourcemanager.principal</name>
<value>yarn/localhost@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/etc/krb5.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>yarn/localhost@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/etc/krb5.keytab</value>
</property>
<property>
<name>yarn.nodemanager.container-executor.class</name>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
<name>yarn.nodemanager.linux-container-executor.path</name>
<value>hadoop-3.0.0-SNAPSHOT/bin/container-executor</value>
</property>
<property>
<name>yarn.nodemanager.linux-container-executor.group</name>
<value>hadoop</value>
</property>
<property>
<name>yarn.timeline-service.principal</name>
<value>yarn/localhost@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.timeline-service.keytab</name>
<value>/etc/krb5.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled</name>
<value>true</value>
</property>
<property>
<name>yarn.timeline-service.http-authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>yarn.timeline-service.http-authentication.kerberos.principal</name>
<value>HTTP/localhost@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.timeline-service.http-authentication.kerberos.keytab</name>
<value>/etc/krb5.keytab</value>
</property>