Configuring SSL for HDFS, YARN and MapReduce

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Before You Begin

  • Before enabling SSL, keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HDFS, MapReduce, or YARN daemon role is running.
  • Since HDFS, MapReduce, and YARN daemons act as SSL clients as well as SSL servers, they must have access to truststores. In many cases, the most practical approach is to deploy truststores to all hosts in the cluster, as it may not be desirable to determine in advance the set of hosts on which clients will run.
  • Keystores for HDFS, MapReduce and YARN must be owned by the hadoop group, and have permissions 0440 (that is, readable by owner and group). Truststores must have permissions 0444 (that is, readable by all)
  • Cloudera Manager supports SSL configuration for HDFS, MapReduce and YARN at the service level. For each of these services, you must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the service in question run. Therefore, the paths you choose must be valid on all hosts.

    An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HDFS daemons on hosts node1.example.com and node2.example.com, you might have chosen to store these certificates in files called hdfs-node1.keystore and hdfs-node2.keystore (respectively). When deploying these keystores, you must give them both the same name on the target host — for example, hdfs.keystore.

  • Multiple daemons running on a host can share a certificate. For example, in case there is a DataNode and an Oozie server running on the same host, they can use the same certificate.

Configuring SSL for HDFS

  1. Navigate to the HDFS service and click Configuration.
  2. In the Search field, type SSL to show the SSL properties (found under the Service-Wide > Security category).
  3. Edit the following properties according to your cluster configuration:
    Property Description
    SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    SSL Server Keystore File Password Password for the server keystore file.
    SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  4. If you are not using the default truststore, configure SSL client truststore properties:
    Property Description
    Cluster-Wide Default SSL Client Truststore Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    Cluster-Wide Default SSL Client Truststore Password Password for the client truststore file.
  5. Cloudera recommends you enable Web UI authentication for the HDFS service.

    Enter web consoles in the Search field to bring up the Enable Authentication for HTTP Web-Consoles property (found under the Service-Wide>Security category). Check the property to enable web UI authentication.

    Enable Authentication for HTTP Web-Consoles Enables authentication for hadoop HTTP web-consoles for all roles of this service.
  6. Click Save Changes.
  7. Follow the procedure described in the following Configuring TLS/SSL for YARN and MapReduce section, at the end of which you will be instructed to restart all the affected services (HDFS, MapReduce and YARN).

Configuring SSL for YARN and MapReduce

Perform the following steps to configure SSL for the YARN or MapReduce services:
  1. Navigate to the YARN or MapReduce service and click Configuration.
  2. In the Search field, type SSL to show the SSL properties (found under the Service-Wide > Security category).
  3. Edit the following properties according to your cluster configuration:
    Property Description
    SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    SSL Server Keystore File Password Password for the server keystore file.
    SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  4. Configure the following SSL client truststore properties for MRv1 or YARN only if you want to override the cluster-wide defaults set by the HDFS properties configured above.
    Property Description
    SSL Client Truststore File Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    SSL Client Truststore File Password Password for the client truststore file.
  5. Cloudera recommends you enable Web UI authentication for the service in question.

    Enter web consoles in the Search field to bring up the Enable Authentication for HTTP Web-Consoles property (found under the Service-Wide>Security category). Check the property to enable web UI authentication.

    Enable Authentication for HTTP Web-Consoles Enables authentication for hadoop HTTP web-consoles for all roles of this service.
  6. Click Save Changes.
  7. Navigate to the HDFS service and in the Search field, type Hadoop SSL Enabled. Click the value for the Hadoop SSL Enabled property and select the checkbox to enable SSL communication for HDFS, MapReduce, and YARN.
    Property Description
    Hadoop SSL Enabled Enable SSL encryption for HDFS, MapReduce, and YARN web UIs, as well as encrypted shuffle for MapReduce and YARN.
  8. Click Save Changes to commit the changes.
  9. Restart all affected services (HDFS, MapReduce and YARN), as well as their dependent services.