Setting up WebHDFS on a secure cluster requires you to update certain properties on
hdfs-site.xml
, create an HTTP service user principal, create a keytab for
the principal, and verify the association of the principal and keytab with the correct HTTP
service.
-
Create an HTTP service user principal.
kadmin: addprinc -randkey HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM
where:
Fully_Qualified_Domain_Name
: Host where the NameNode is
deployed.
Realm_Name
: Name of your Kerberos realm.
-
Create a keytab file for the HTTP principal.
kadmin: xst -norandkey -k /etc/security/spnego.service.keytab HTTP/$<Fully_Qualified_Domain_Name>
-
Verify that the keytab file and the principal are associated with the correct
service.
klist –k -t /etc/security/spnego.service.keytab
-
Add the
dfs.web.authentication.kerberos.principal
and
dfs.web.authentication.kerberos.keytab
properties to
hdfs-site.xml
.
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/etc/security/spnego.service.keytab</value>
</property>
-
Restart the NameNode and the DataNodes.