Configuring Hadoop Security in CDH4
These instructions assume you know how to install and configure Kerberos, you already have a working Kerberos Key Distribution Center (KDC) and realm setup, and that you've installed the Kerberos user packages on all cluster machines and machines which will be used to access the cluster. Furthermore, Oozie and Hue require that the realm support renewable tickets. For more information about installing and configuring Kerberos, see:
Here are the general steps to configuring secure Hadoop, each of which is described in more detail in the following sections:
- Install CDH4.
- Verify User Accounts and Groups in CDH4 Due to Security.
- If you are Using AES-256 Encryption, install the JCE Policy File.
- Create and Deploy the Kerberos Principals and Keytab Files.
- Shut Down the Cluster.
- Enable Hadoop security.
- Configure secure HDFS.
- Optional: Configuring Security for HDFS High Availability.
- Optional: Configure secure WebHDFS.
- Set Variables for Secure DataNodes.
- Start up the NameNode.
- Start up a DataNode.
- Set the Sticky Bit on HDFS Directories.
- Start up the Secondary NameNode (if used).
- Configure Either MRv1 Security or YARN Security.
Kerberos security in CDH4 has been tested with the following version of MIT Kerberos 5:
- krb5-1.6.1 on Red Hat Enterprise Linux 5 and CentOS 5
Kerberos security in CDH4 is supported with the following versions of MIT Kerberos 5:
- krb5-1.6.3 on SUSE Linux Enterprise Server (SLES) 11 Service Pack 1
- krb5-1.8.1 on Ubuntu
- krb5-1.8.2 on Red Hat Enterprise Linux 6 and CentOS 6
- krb5-1.9 on Red Hat Enterprise Linux 6.1
If you want to enable Kerberos SPNEGO-based authentication for the Hadoop web interfaces, see the Hadoop Auth, Java HTTP SPNEGO Documentation.