Set up WebHDFS on a secure cluster

Setting up WebHDFS on a secure cluster requires you to update certain properties on hdfs-site.xml, create an HTTP service user principal, create a keytab for the principal, and verify the association of the principal and keytab with the correct HTTP service.

  1. Create an HTTP service user principal.
    kadmin: addprinc -randkey HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM
    where:
    • Fully_Qualified_Domain_Name: Host where the NameNode is deployed.
    • Realm_Name: Name of your Kerberos realm.
  2. Create a keytab file for the HTTP principal.
    kadmin: xst -norandkey -k /etc/security/spnego.service.keytab HTTP/$<Fully_Qualified_Domain_Name>
  3. Verify that the keytab file and the principal are associated with the correct service.
    klist –k -t /etc/security/spnego.service.keytab
  4. Add the dfs.web.authentication.kerberos.principal and dfs.web.authentication.kerberos.keytab properties to hdfs-site.xml.
    
    <property>
      <name>dfs.web.authentication.kerberos.principal</name>
      <value>HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM</value>
    </property>
    <property>
      <name>dfs.web.authentication.kerberos.keytab</name>
      <value>/etc/security/spnego.service.keytab</value>
    </property>
  5. Restart the NameNode and the DataNodes.