HCatalog Authentication
This section describes how to configure HCatalog in CDH 5 with Kerberos security in a Hadoop cluster:
- Before You Start
- Step 1: Create the HTTP keytab file
- Step 2: Configure WebHCat to Use Security
- Step 3: Create Proxy Users
- Step 4: Verify the Configuration
For more information about HCatalog see Installing and Using HCatalog.
Before You Start
Secure Web HCatalog requires a running remote Hive metastore service configured in secure mode. See Hive MetaStoreServer Security Configuration for instructions. Running secure WebHCat with an embedded repository is not supported.
Step 1: Create the HTTP keytab file
You need to create a keytab file for WebHCat. Follow these steps:
- Create the file:
kadmin: addprinc -randkey HTTP/fully.qualified.domain.name@YOUR-REALM.COM kadmin: xst -k HTTP.keytab HTTP/fully.qualified.domain.name
- Move the file into the WebHCat configuration directory and restrict its access exclusively to the hcatalog user:
$ mv HTTP.keytab /etc/webhcat/conf/ $ chown hcatalog /etc/webhcat/conf/HTTP.keytab $ chmod 400 /etc/webhcat/conf/HTTP.keytab
Step 2: Configure WebHCat to Use Security
Create or edit the WebHCat configuration file webhcat-site.xml in the configuration directory and set following properties:
Property |
Value |
---|---|
templeton.kerberos.secret |
Any random value |
templeton.kerberos.keytab |
/etc/webhcat/conf/HTTP.keytab |
templeton.kerberos.principal |
HTTP/fully.qualified.domain.name@YOUR-REALM.COM |
Example configuration:
<property> <name>templeton.kerberos.secret</name> <value>SuPerS3c3tV@lue!</value> </property> <property> <name>templeton.kerberos.keytab</name> <value>/etc/webhcat/conf/HTTP.keytab</value> </property> <property> <name>templeton.kerberos.principal</name> <value>HTTP/fully.qualified.domain.name@YOUR-REALM.COM</value> </property>
Step 3: Create Proxy Users
WebHCat needs access to your NameNode in order to work properly, and so you must configure Hadoop to allow impersonation from the hcatalog user. To do this, edit your core-site.xml configuration file and set the hadoop.proxyuser.HTTP.hosts and hadoop.proxyuser.HTTP.groups properties to specify the hosts from which HCatalog can do the impersonation and what users can be impersonated. You can use the value * for "any".
Example configuration:
<property> <name>hadoop.proxyuser.HTTP.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.HTTP.groups</name> <value>*</value> </property>
Step 4: Verify the Configuration
After restarting WebHcat you can verify that it is working by using curl (you may need to run kinit first):
$ curl --negotiate -i -u : 'http://fully.qualified.domain.name:50111/templeton/v1/ddl/database'