This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Configuring SSL for HDFS, YARN and MapReduce

Required Role:

Before You Begin

  • Before enabling SSL, keystores containing certificates bound to the appropriate domain names will need to be accessible on all hosts on which at least one HDFS, MapReduce, or YARN daemon role is running.
  • Since HDFS, MapReduce, and YARN daemons act as SSL clients as well as SSL servers, they must have access to truststores. In many cases, the most practical approach is to deploy truststores to all hosts in the cluster, as it may not be desirable to determine in advance the set of hosts on which clients will run.
  • Keystores for HDFS, MapReduce and YARN must be owned by the hadoop group, and have permissions 0440 (that is, readable by owner and group). Truststores must have permissions 0444 (that is, readable by all)
  • Cloudera Manager supports SSL configuration for HDFS, MapReduce and YARN at the service level. For each of these services, you must specify absolute paths to the keystore and truststore files. These settings apply to all hosts on which daemon roles of the service in question run. Therefore, the paths you choose must be valid on all hosts.

    An implication of this is that the keystore file names for a given service must be the same on all hosts. If, for example, you have obtained separate certificates for HDFS daemons on hosts node1.example.com and node2.example.com, you might have chosen to store these certificates in files called hdfs-node1.keystore and hdfs-node2.keystore (respectively). When deploying these keystores, you must give them both the same name on the target host — for example, hdfs.keystore.

  • Multiple daemons running on a host can share a certificate. For example, in case there is a DataNode and an Oozie server running on the same host, they can use the same certificate.

Procedure

Perform the following steps to configure SSL for the YARN/MapReduce and HDFS services:
  1. Navigate to the YARN or MapReduce service and click Configuration.
  2. In the Search field, type SSL to show the SSL properties (found under the Service-Wide > Security category).
  3. Edit the following properties according to your cluster configuration:
    Property Description
    SSL Server Keystore File Location Path to the keystore file containing the server certificate and private key.
    SSL Server Keystore File Password Password for the server keystore file.
    SSL Server Keystore Key Password Password that protects the private key contained in the server keystore.
  4. If you are not using the default truststore, configure SSL client truststore properties:
    Property Description
    SSL Client Truststore File Location Path to the client truststore file. This truststore contains certificates of trusted servers, or of Certificate Authorities trusted to identify servers.
    SSL Client Truststore File Password Password for the client truststore file.
  5. Cloudera recommends you enable Web UI authentication for the service in question.

    Enter web consoles in the Search field to bring up the Enable Authentication for HTTP Web-Consoles property (found under the Service-Wide>Security category). Check the property to enable web UI authentication.

    Enable Authentication for HTTP Web-Consoles Enables authentication for hadoop HTTP web-consoles for all roles of this service.
      Note: This is effective only if security is enabled for the HDFS service.
  6. Click Save Changes.
  7. Repeat steps 1-6 for the HDFS service.
  8. In the HDFS Configuration Search field, type Hadoop SSL Enabled. Click the value for the Hadoop SSL Enabled property and select the checkbox to enable SSL communication.
    Property Description
    Hadoop SSL Enabled Enable SSL encryption for HDFS, MapReduce, and YARN web UIs, as well as encrypted shuffle for MapReduce and YARN.
  9. Click Save Changes.
  10. Restart all affected services (HDFS, MapReduce and/or YARN), as well as their dependent services.
Page generated September 3, 2015.