This page explains how to set configurations for using Kerberos. We update the following files:
├── conf
│ ├── core-site.xml
│ └── krb5.conf
├── ranger-key
│ ├── install.properties
│ └── solr.in.sh
├── ranger-conf
│ ├── core-site.xml
│ ├── krb5.conf
│ ├── ranger-admin-site.xml.append
│ └── solr-security.json
└── timeline-conf
├── krb5.conf
└── yarn-site.xml
conf/core-site.xml and ranger-conf/core-site.xml
Set the configuration key hadoop.security.authentication to kerberos.
$ vi conf/core-site.xml ranger-conf/core-site.xml
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
conf/krb5.conf, ranger-conf/krb5.conf, timeline-conf/krb5.conf
Update krb5.conf which contains the information for Kerberos configuration.
$ vi conf/krb5.conf ranger-conf/krb5.conf timeline-conf/krb5.conf
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
forwardable = true
rdns = false
default_realm = PL
default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
PL = {
admin_server = 1.1.1.1
kdc = 1.1.1.1
}
ranger-key/install.properties
Set the following variables to Kerberos principals for Ranger.
$ vi ranger-key/install.properties
spnego_principal=HTTP/orange1@PL
admin_principal=rangeradmin/orange1@PL
lookup_principal=rangerlookup@PL
ranger-key/solr.in.sh
The environment variable SOLR_AUTHENTICATION_OPTS should use
the host running Ranger, the SPNEGO service principal, and its service keytab.
$ vi kubernetes/ranger-key/solr.in.sh
SOLR_AUTH_TYPE="kerberos"
SOLR_AUTHENTICATION_OPTS="\
-Djava.security.krb5.conf=/opt/mr3-run/ranger/conf/krb5.conf \
-Dsolr.kerberos.cookie.domain=orange1 \
-Dsolr.kerberos.principal=HTTP/orange1@PL \
-Dsolr.kerberos.keytab=/opt/mr3-run/ranger/key/spnego.service.keytab"
ranger-conf/ranger-admin-site.xml.append
Set the configuration key xasecure.audit.jaas.Client.option.principal
to admin service principal for Ranger.
$ vi ranger-conf/ranger-admin-site.xml.append
<property>
<name>xasecure.audit.jaas.Client.option.principal</name>
<value>rangeradmin/orange1@PL</value>
</property>
ranger-conf/solr-security.json
This file sets the configuration for authentication and authorization in Solr used by Ranger.
The user-role section should specify the service principal for HiveServer2 and the admin service principal for Ranger.
$ vi ranger-conf/solr-security.json
{
"authentication": {
"class": "org.apache.solr.security.KerberosPlugin"
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "update",
"role": "updater"
},
{
"name": "read",
"role": "reader"
},
{
"name": "*",
"role": "admin"
}
],
"user-role": {
"hive/orange1@PL": "updater",
"rangeradmin/orange1@PL": "reader",
}
}
}
timeline-conf/yarn-site.xml
Set the configuration key yarn.timeline-service.http-authentication.type to kerberos.
Use a Kerberos keytab file to configure authentication as shown below.
<property>
<name>yarn.timeline-service.http-authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>yarn.timeline-service.http-authentication.kerberos.principal</name>
<value>hive/orange1@PL</value>
</property>
<property>
<name>yarn.timeline-service.http-authentication.kerberos.keytab</name>
<value>/opt/mr3-run/ats/key/hive-orange1.keytab</value>
</property>
Using Kerberos-based authentication for MR3-UI is optional and can be disabled independently of the configuration of Hive on MR3. In order not to use Kerberos-based authentication for MR3-UI, set the configuration keyyarn.timeline-service.http-authentication.typetosimple.
Configuring Ranger
In the Ranger service, fill the JDBC URL field with:
jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;
Running queries
For sending queries to the public HiveServer2, the user should obtain a valid Kerberos ticket and use JDBC URL:
jdbc:hive2://orange1:9852/;principal=hive/orange1@PL;
Accessing MR3-UI
To access MR3-UI, the web browser should be configured to establish a secure connection with the Timeline Server by passing a Kerberos ticket. See Running MR3-UI for details.
