core-site.xml
Add the following information to the core-site.xml file on
every host in your cluster:
Table 2.3. General core-site.xml, Knox, and Hue
|
Property Name |
Property Value |
Description |
|---|---|---|
|
hadoop.security.authentication |
kerberos |
Set the authentication type for the cluster. Valid values are: simple or kerberos. |
|
hadoop.rpc.protection |
authentication; integrity; privacy |
This is an [OPTIONAL] setting. If not set, defaults to authentication. authentication = authentication only; the client and server mutually authenticate during connection setup. integrity = authentication and integrity; guarantees the integrity of data exchanged between client and server as well as authentication. privacy = authentication, integrity, and confidentiality; guarantees that data exchanged between client and server is encrypted and is not readable by a “man in the middle”. |
|
hadoop.security.authorization |
true |
Enable authorization for different protocols. |
|
hadoop.security.auth_to_local |
The mapping rules. For example:
|
The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information. |
Following is the XML for these entries:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<description> Set the authentication for the cluster.
Valid values are: simple or kerberos.</description>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>Enable authorization for different protocols.</description>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT
</value>
<description>The mapping from kerberos principal names
to local OS user names.</description>
</property> When using the Knox Gateway, add the following to the
core-site.xml file on the master nodes host in your
cluster:
Table 2.4. core-site.xml Master Node Settings -- Knox Gateway
|
Property Name |
Property Value |
Description |
|---|---|---|
|
hadoop.proxyuser.knox.groups |
users |
Grants proxy privileges for Knox user. |
|
hadoop.proxyuser.knox.hosts |
$knox_host_FQDN |
Identifies the Knox Gateway host. |
When using Hue, add the following to the core-site.xml
file on the master nodes host in your cluster:
Table 2.5. core-site.xml Master Node Settings -- Hue
|
Property Name |
Property Value |
Description |
|---|---|---|
|
hue.kerberos.principal.shortname |
hue |
Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*. |
|
hadoop.proxyuser.hue.groups |
* |
Group to which all the Hue users belong. Use the wild card character to select multiple groups, for example cli*. |
|
hadoop.proxyuser.hue.hosts |
* | |
|
hadoop.proxyuser.knox.hosts |
$hue_host_FQDN |
Identifies the Knox Gateway host. |
Following is the XML for both Knox and Hue settings:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<description>Set the authentication for the cluster.
Valid values are: simple or kerberos.</description>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>Enable authorization for different protocols.
</description>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/
DEFAULT
</value>
<description>The mapping from kerberos principal names
to local OS user names.</description>
</property>
<property>
<name>hadoop.proxyuser.knox.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.knox.hosts</name>
<value>Knox.EXAMPLE.COM</value>
</property> HTTP Cookie Persistence
During HTTP authentication, a cookie is dropped. This is a persistent cookie that is valid across browser sessions. For clusters that require enhanced security, it is desirable to have a session cookie that gets deleted when the user closes the browser session.
You can use the following core-site.xml property to specify
cookie persistence across browser sessions.
<property> <name>hadoop.http.authentication.cookie.persistent</name> <value>true</value> </property>
The default value for this property is false.