Configuring Kerberos Authentication
This page explains how to set configurations for Kerberos authentication.
We update the following files under the directory kubernetes.
├── conf
│ ├── core-site.xml
│ └── krb5.conf
├── ranger-key
│ ├── install.properties
│ └── solr.in.sh
└── ranger-conf
├── core-site.xml
├── krb5.conf
├── ranger-admin-site.xml.append
└── solr-security.json
conf/core-site.xml and ranger-conf/core-site.xml
In order to use Kerberos authentication,
set the configuration key hadoop.security.authentication to kerberos.
vi conf/core-site.xml ranger-conf/core-site.xml
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
If non-secure HDFS is used,
set the configuration key ipc.client.fallback-to-simple-auth-allowed to true.
vi conf/core-site.xml ranger-conf/core-site.xml
<property>
<name>ipc.client.fallback-to-simple-auth-allowed</name>
<value>true</value>
</property>
conf/krb5.conf, ranger-conf/krb5.conf
To use Kerberos, the user should update krb5.conf
which contains the details of the Kerberos server such as 1) Kerberos realm; 2) IP address of the Kerberos admin server; 3) IP address of the KDC (Key Distribution Center).
vi conf/krb5.conf ranger-conf/krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
forwardable = true
rdns = false
default_realm = RED
default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
RED = {
admin_server = red0
kdc = red0
}
Usually it suffices to reuse /etc/krb5.conf if the node is already set up to use Kerberos.
ranger-key/install.properties
Set the following variables to Kerberos principals for Ranger.
vi ranger-key/install.properties
spnego_principal=HTTP/orange1@PL
admin_principal=rangeradmin/orange1@PL
lookup_principal=rangerlookup@PL
ranger-key/solr.in.sh
The environment variable SOLR_AUTHENTICATION_OPTS should use
the host running Ranger, the SPNEGO service principal, and its service keytab.
vi kubernetes/ranger-key/solr.in.sh
SOLR_AUTH_TYPE="kerberos"
SOLR_AUTHENTICATION_OPTS="\
-Djava.security.krb5.conf=/opt/mr3-run/ranger/conf/krb5.conf \
-Dsolr.kerberos.cookie.domain=orange1 \
-Dsolr.kerberos.principal=HTTP/orange1@PL \
-Dsolr.kerberos.keytab=/opt/mr3-run/ranger/key/spnego.service.keytab"
ranger-conf/ranger-admin-site.xml.append
Set the configuration key xasecure.audit.jaas.Client.option.principal
to the admin service principal for Ranger.
vi ranger-conf/ranger-admin-site.xml.append
<property>
<name>xasecure.audit.jaas.Client.option.principal</name>
<value>rangeradmin/orange1@PL</value>
</property>
ranger-conf/solr-security.json
This file sets the configuration for authentication and authorization in Solr used by Ranger.
The user-role section should specify the service principal for HiveServer2 and the admin service principal for Ranger.
vi ranger-conf/solr-security.json
{
"authentication": {
"class": "org.apache.solr.security.KerberosPlugin"
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "update",
"role": "updater"
},
{
"name": "read",
"role": "reader"
},
{
"name": "*",
"role": "admin"
}
],
"user-role": {
"hive/orange1@PL": "updater",
"rangeradmin/orange1@PL": "reader",
}
}
}
Configuring Ranger
In the Ranger service, fill the JDBC URL field with:
jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;
Running queries
For sending queries to HiveServer2, the user should obtain a valid Kerberos ticket and use the following JDBC URL:
jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;
Beeline uses the Kerberos ticket provided by the user in order to authenticate itself to HiveServer2. Hence the Kerberos ticket should be valid at the time of executing Beeline.