Customizing Security in HPE Ezmeral Data Fabric

Describes the .customSecure file and how HPE Ezmeral Data Fabric 6.x handles custom security settings.

This topic contains the following subsections:
NOTE
Implementing custom security is not recommended unless your installation demands it. Using the custom security option means that HPE Ezmeral Data Fabric software does not ensure that your system is secure by default, and that you need to manually perform all security configuration.

In HPE Ezmeral Data Fabric 6.x, the configure.sh script detects that a cluster is in one of three security states:

Secure The cluster is configured with the default HPE Ezmeral Data Fabric security settings.
Custom secure The cluster has a mixture of HPE Ezmeral Data Fabric security settings and custom settings.

Understanding how configure.sh handles custom security settings is important when you upgrade a cluster, add services, add nodes, or change security settings.

What is Custom Security?

Any change to the default HPE Ezmeral Data Fabric configuration for authentication, authorization, or encryption represents a "custom security" change. Users who make such changes are encouraged to create a .customSecure file to ensure that configure.sh does not remove these changes. Custom security changes include any change to the keystore or truststore passwords or the number of keys in those files or the names of the keys.

Other examples of custom security changes include:
  • Implementing Kerberos security
  • Changing the Hive authorization model
  • Changing the Oozie authorization model

Identifying the Current Security State of the Cluster

If the current security state of the cluster (secure or custom secure) is unknown, you can use one of these checks to identify which state the cluster is in:
  • Check the security value in the /opt/mapr/conf/mapr-clusters.conf file. For example:
    <clustername1> secure=true <CLDB> <CLDB> … <CLDB>

    For more information, see mapr-clusters.conf.

  • Check for the presence of the .customSecure file:
    /opt/mapr/conf/.customSecure
    If the file is present, configure.sh treats the cluster as custom secure.

About the .customSecure File

If you customized the security settings for cluster and you want to ensure that configure.sh does not change any of the settings, create a .customSecure file. Create the file in the following location on every node:
/opt/mapr/conf/.customSecure

The .customSecure file does not contain any information. The presence of the file tells configure.sh that the cluster has security settings that must not be changed by configure.sh.

Typically, you create the .customSecure file manually. However, in some cases, configure.sh creates or removes the .customSecure file for you. For example, if configure.sh detects that it is being run after an upgrade from a MapR 5.x secure cluster, it creates the .customSecure file automatically. If you use the -forceSecurityDefaults option and -secure with configure.sh, the script removes the .customSecure file because you are forcing the removal of custom security settings.

Forcing a Change to the Security Configuration

If your HPE Ezmeral Data Fabric 6.x cluster has custom security settings (the .customSecure file is present), and you want to change to the default HPE Ezmeral Data Fabric secure or non-secure settings, use the -forceSecurityDefaults option of configure.sh to make the change. Note these considerations:
  • Using the -forceSecurityDefaults option removes the .customSecure file. You must specify the -secure option with -forceSecurityDefaults. Otherwise, the command will have no effect.
  • The -forceSecurityDefaults option might not remove all custom settings. Some manual editing might be necessary to return the cluster to a usable state.
  • If you are forcing a custom-secured cluster to be HPE Ezmeral Data Fabric secure, you still must include other configure.sh options that are required for security. You must perform any steps required to add security. For example, see Enabling Wire-level Security.

Custom Security and the HPE Ezmeral Data Fabric Installer

Using the HPE Ezmeral Data Fabric Installer or HPE Ezmeral Data Fabric Installer Stanzas is not supported on clusters with custom security or customized configurations.

Adding a Node to a Cluster with Custom Security

Adding a node to a cluster with custom security is similar to adding a node to a cluster with HPE Ezmeral Data Fabric security, but there are some additional steps:
  1. Add the node with default HPE Ezmeral Data Fabric security as described in Adding Nodes to a Cluster.
  2. To support your custom security mode, copy any custom resources or settings as needed from existing nodes to the added node.
  3. Create the /opt/mapr/conf/.customSecure file on the added node:
    /usr/bin/touch /opt/mapr/conf/.customSecure

Adding a Service to a Cluster with Custom Security

If you add a new service (ecosystem component) to a secure or custom-secure cluster, configure.sh configures the service for HPE Ezmeral Data Fabric security automatically. If the cluster is custom secure, you need to change the security settings for the service to be compatible with the current cluster settings and restart the service. Any subsequent use of configure.sh -R will leave the customization in place.