Security Settings for Ecosystem Components

Lists the security settings for all HPE Ezmeral Data Fabric ecosystem components.

The security settings for the various ecosystem components are as follows:

Security Settings for Hadoop/Yarn

File or command: core-default.xml
Description: Authentication used for the HTTP web-consoles
Default Secure Setting: hadoop.http.authentication.type:org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
Alternate Value or Change Command: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
Notes: None
File or command: core-default.xml
Description: Custom principal of the service
Default Secure Setting: hadoop.security.custom.auth.principal.class:com.mapr.security.MapRPrincipal
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: LDAP Configuration
Default Secure Setting: hadoop.security.group.mapping.ldap.search.filter.user:(&(objectClass=user)(sAMAccountName={0}))
Alternate Value or Change Command: None
Notes: An additional filter to use when searching for LDAP users. The default filter is usually appropriate for Active Directory installations. If connecting to an LDAP server with a non-AD schema, replace the default filter with (&(objectClass=inetOrgPerson)(uid={0}). {0} is a special string used to denote where the username fits into the filter. If the LDAP server supports posixGroups, Hadoop can enable the feature by setting the value of this property to posixAccount and the value of the hadoop.security.group.mapping.ldap.search.filter.group property to posixGroup.
File or command: core-default.xml & core-site.xml
Description: Client authentication types
Default Secure Setting: hadoop.security.authentication: CUSTOM
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Java class that handles HTTP auth secret
Default Secure Setting: hadoop.http.authentication.signature.secret:com.mapr.security.maprauth.MaprSignatureSecretFactory
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Group authentication cache duration
Default Secure Setting: hadoop.security.groups.cache.secs:300
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Name of the SignerSecretProvider class to use
Default Secure Setting: hadoop.http.authentication.signer.secret.provider:org.apache.hadoop.security.authentication.util.MapRSignerSecretProvider
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Service that manages the HPE Ezmeral Data Fabric ticket
Default Secure Setting: yarn.external.token.manager:com.mapr.hadoop.yarn.security.MapRTicketManager
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: OS security random device file path
Default Secure Setting: hadoop.security.random.device.file.path:/dev/urandom
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Key to set if the registry is secure
Default Secure Setting: hadoop.registry.secure:false
Alternate Value or Change Command: true
Notes: Turning it on, changes the permissions policy from open access to restrictions on kerberos with the option of a user adding one or more auth key pairs down their own tree.
File or command: core-default.xml & core-site.xml
Description: Authentication class name
Default Secure Setting: hadoop.log.level.authenticator.class:com.mapr.security.maprauth.MaprAuthenticator
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description:Indicates if administrator ACLs are required to access instrumentation servlets (JMX, METRICS, CONF, STACKS)
Default Secure Setting: hadoop.security.instrumentation.requires.admin:false
Alternate Value or Change Command: true
Notes: None
File or command: core-default.xml & core-site.xml
Description:The keystores factory to use for retrieving certificates
Default Secure Setting: hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Comma-separated list of crypto codec implementations for AES/CTR/NoPadding
Default Secure Setting: hadoop.security.crypto.codec.classes.aes.ctr.nopadding:org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: The attribute of the group object that identifies the users that are members of the group.
Default Secure Setting: hadoop.security.group.mapping.ldap.search.attr.member:member
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Logs a warning message, if looking up a single user to group takes longer than the specified number of milliseconds
Default Secure Setting: hadoop.security.groups.cache.warn.after.ms:5000
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: The attribute applied to the LDAP Search Control properties to set a maximum time limit when searching and waiting for a result
Default Secure Setting: hadoop.security.group.mapping.ldap.directory.search.timeout:10000
Alternate Value or Change Command: The unit is in milliseconds. Set to 0 if an infinite wait period is desired. Default is 10 seconds.
Notes: None
File or command: core-site.xml
Description: HPE Ezmeral Data Fabric service account ("mapr") impersonation
Default Secure Setting:
  • hadoop.proxyuser.mapr.hosts:*
  • hadoop.proxyuser.mapr.groups:*
Alternate Value or Change Command: None
Notes: Set by default in version 6.1 secure install.
File or command: yarn-site.xml
Description: Defines the authentication used for the timeline server HTTP endpoint.
Default Secure Setting: yarn.timeline-service.http-authentication.type:com.mapr.security.maprauth.MaprDelegationTokenAuthenticationHandler
Alternate Value or Change Command: Supported values are:
simple / kerberos / #AUTHENTICATION_HANDLER_CLASSNAME
# Defaults to simple.
Notes: None.
File or command: yarn-default.xml
Description: The allowed pattern for UNIX user names enforced by the Linux-container-executor when used in Nonsecure mode (use case for this is using cgroups).
Default Secure Setting: yarn.nodemanager.linux-container-executor.nonsecure-mode.user-pattern:^[_.A-Za-z0-9][-@_.A-Za-z0-9]{0,255}?[$]?$
Alternate Value or Change Command: None
Notes: The default value is taken from /usr/sbin/adduser.
File or command: core-default.xml & core-site.xml
Description: Indicates whether or not to use SSL when connecting to the LDAP server.
Default Secure Setting: hadoop.security.group.mapping.ldap.ssl:false
Alternate Value or Change Command: true
Notes: None
File or command: core-default.xml & core-site.xml
Description: An additional filter to use when searching for LDAP groups
Default Secure Setting: hadoop.security.group.mapping.ldap.search.filter.group:(objectClass=group)
Alternate Value or Change Command: None
Notes: Change this filter when resolving groups against a non-Active Directory installation. See the description of hadoop.security.group.mapping.ldap.search.filter.user to enable posixGroups support.
File or command: core-default.xml & core-site.xml
Description: This setting is the configuration controlling the validity of the entries in the cache containing the userId to userName and groupId to groupName mappings that are used by NativeIO getFstat().
Default Secure Setting: hadoop.security.uid.cache.secs:14400
Alternate Value or Change Command: None
Notes:None
File or command: yarn-default.xml
Description: Determines which of the two modes LCE should use on a nonsecure cluster.
Default Secure Setting: yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users:true
Alternate Value or Change Command: false
Notes:Set this value to true, to launch all containers as the user specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. Set this value to false to run containers as the user who submitted the application.
File or command: yarn-default.xml
Description: Disable insecure protocols
Default Secure Setting:
hadoop.ssl.exclude.insecure.protocols:SSLv3,TLSv1,TLSV1.1
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Class for user to group mapping (get groups for a given user) for ACL.
Default Secure Setting: hadoop.security.group.mapping:org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback
Alternate Value or Change Command: None
Notes: The default implementation org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback determines if the Java Native Interface (JNI) is available. If JNI is available, the implementation uses the API within Hadoop to resolve a list of groups for a user. If JNI is not available, then the shell implementation ShellBasedUnixGroupsMapping, is used. This implementation shells out to the Linux/Unix environment with the bash -c groups command to resolve a list of groups for a user.
File or command: core-default.xml & core-site.xml
Description: Class for the 'custom type of authentication' method
Default Secure Setting: hadoop.security.custom.rpc.auth.method.class:org.apache.hadoop.security.rpcauth.MaprAuthMethod
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xm
Description: The attribute of the group object that identifies the group name
Default Secure Setting: hadoop.security.group.mapping.ldap.search.attr.group.name:cn
Alternate Value or Change Command: None
Notes: The default setting is usually appropriate for all LDAP systems.
File or command: core-default.xml & core-site.xm
Description: The Java secure random algorithm.
Default Secure Setting: hadoop.security.java.secure.random.algorithm:SHA1PRNG
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xm
Description: Indicates whether service-level authorization is enabled
Default Secure Setting: hadoop.security.authorization:true
Alternate Value or Change Command: false
Notes: None
File or command: core-default.xml & core-site.xm
Description: Expiration time for entries in the the negative user-to-group mapping caching, in seconds
Default Secure Setting: hadoop.security.groups.negative-cache.secs:30
Alternate Value or Change Command: None
Notes: This setting is useful when invalid users retry frequently. Set a low value for this expiration, since a transient error in group lookup could temporarily lock out a legitimate user. Set this parameter to zero or a negative value, to disable negative user-to-group caching.
File or command: yarn-default.xml
Description: Linux-container-executor setting
Default Secure Setting: yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user:nobody
Alternate Value or Change Command: None
Notes: The UNIX user that containers run as when Linux-container-executor is used in Nonsecure mode (a use case for this is using cgroups) if the yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set to true.
File or command: core-default.xml & core-site.xml
Description: Cipher suite for crypto codec.
Default Secure Setting: hadoop.security.crypto.cipher.suite:AES/CTR/NoPadding
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Denotes the buffer size used by CryptoInputStream and CryptoOutputStream.
Default Secure Setting: hadoop.security.crypto.buffer.size:8192
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Path to the JAAS configuration file
Default Secure Setting: hadoop.security.java.security.login.config.jar.path:/mapr.login.conf
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Indicates if anonymous requests are allowed when using simple authentication.
Default Secure Setting: hadoop.http.authentication.simple.anonymous.allowed:true
Alternate Value or Change Command: false
Notes: None
File or command: yarn-default.xml
Description: Indicates if anonymous requests are allowed by the timeline server when using simple authentication.
Default Secure Setting: yarn.timeline-service.http-authentication.simple.anonymous.allowed:true
Alternate Value or Change Command: false
Notes: None
File or command: core-default.xml & core-site.xml
Description: Indicates how long (in seconds) an authentication token is valid before it has to be renewed.
Default Secure Setting: hadoop.http.authentication.token.validity:36000
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: IPC client fallback.
Default Secure Setting: ipc.client.fallback-to-simple-auth-allowed:false
Alternate Value or Change Command: true
Notes: When a client is configured to attempt a secure connection, but attempts to connect to an insecure server, that server may instruct the client to switch to SASL SIMPLE (unsecure) authentication. This setting controls whether or not the client accepts this instruction from the server. When false (the default), the client does not allow the fallback to SIMPLE authentication, but aborts the connection.
File or command: yarn-default.xml
Description: Initial duration of the data-fabric ticket
Default Secure Setting: yarn.mapr.ticket.expiration:604800000
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Protocols supported by SSL.
Default Secure Setting: hadoop.ssl.enabled.protocols:TLSv1.2
Alternate Value or Change Command: true
Notes: When a client is configured to attempt a secure connection, but attempts to connect to an insecure server, that server may instruct the client to switch to SASL SIMPLE (unsecure) authentication. This setting controls whether or not the client accepts this instruction from the server. When false (the default), the client does not allow the fallback to SIMPLE authentication, but aborts the connection.
File or command: core-default.xml & core-site.xml
Description: List of excluded ciphers
Default Secure Setting: hadoop.ssl.exclude.cipher.suites:SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Indicates whether client certificates are required
Default Secure Setting: hadoop.ssl.require.client.cert:false
Alternate Value or Change Command: true
Notes: None
File or command: core-default.xml & core-site.xml
Description: The hostname verifier to provide for HttpsURLConnections
Default Secure Setting: hadoop.ssl.hostname.verifier:DEFAULT
Alternate Value or Change Command: Valid values are: DEFAULT, STRICT, STRICT_I6, DEFAULT_AND_LOCALHOST, and ALLOW_ALL
Notes: None
File or command: core-default.xml & core-site.xml
Description: Resource file from which SSL client keystore information is extracted
Default Secure Setting: hadoop.ssl.client.conf:ssl-client.xml
Alternate Value or Change Command: None
Notes: This file is looked up in the classpath, and is usually present in the Hadoop conf/ directory.
File or command: mapred-default.xml
Description: Buffer size for reading spills from file when using SSL.
Default Secure Setting: mapreduce.shuffle.ssl.file.buffer.size:65536
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: The keystores factory to use for retrieving certificates.
Default Secure Setting: hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
Alternate Value or Change Command: None
Notes: None
File or command: core-default.xml & core-site.xml
Description: Comma-separated list of crypto codec implementations for AES/CTR/NoPadding.
Default Secure Setting: hadoop.security.crypto.codec.classes.aes.ctr.nopadding:
org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec
Alternate Value or Change Command: None
Notes: The first implementation is used, if available. Other implementations are fallbacks.
File or command: core-default.xml & core-site.xml
Description: Resource file from which SSL server keystore information is extracted.
Default Secure Setting: hadoop.ssl.server.conf:ssl-server.xml
Alternate Value or Change Command: None
Notes: This file is looked up in the classpath, and is usually present in the Hadoop conf/ directory.
File or command: core-default.xml & core-site.xml
Description: Configures the HTTP endpoint for Yarn daemons.
Default Secure Setting: yarn.http.policy:HTTP_ONLY
Alternate Value or Change Command: The following values are supported:
  • HTTP_ONLY: Service is provided only on HTTP
  • HTTPS_ONLY: Service is provided only on HTTPS
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Indicates whether or not to use SSL when connecting to the LDAP server.
Default Secure Setting: hadoop.security.group.mapping.ldap.ssl:false
Alternate Value or Change Command: None
Notes: None.
File or command: core-default.xml & core-site.xml
Description: Enables or disables SSL connections to S3.
Default Secure Setting: fs.s3a.connection.ssl.enabled:true
Alternate Value or Change Command: false
Notes: None.
File or command: mapred-default.xml
Description: Indicates whether to use SSL for for the Shuffle HTTP endpoints.
Default Secure Setting: mapreduce.shuffle.ssl.enabled:false
Alternate Value or Change Command: true
Notes: None.

Security Settings for Hive

File or command: hive-site.xml
Description: Hive client authenticator manager class name
Default Secure Setting: hive.security.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator
Alternate Value or Change Command: None
Notes: None.
File or command: hive-site.xml
Description: Enables or disables Hive client authorization
Default Secure Setting: hive.security.authorization.enabled:true
Alternate Value or Change Command: false
Notes: None.
File or command: hive-site.xml
Description: The Hive client authorization manager class name
Default Secure Setting: hive.security.authorization.manager:org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory
Alternate Value or Change Command: None
Notes: None.
File or command: hive-site.xml
Description: List of comma separated Java regexes
Default Secure Setting: hive.security.authorization.sqlstd.confwhitelist:hive\.exec\.pre\.hooks
Alternate Value or Change Command: None
Notes: You can modify configurations parameters that match these regexes when you enable SQL standard authorization.
File or command: hive-site.xml
Description: Authorization DDL task factory implementation
Default Secure Setting: hive.security.authorization.task.factory:org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Comma-separated list of non-SQL Hive commands that users are authorized to execute
Default Secure Setting: hive.security.command.whitelist:set,reset,dfs,add,list,delete,reload,compile
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Authenticator manager class name to be used in the metastore for authentication.
Default Secure Setting: hive.security.metastore.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: When set to true, the metastore authorizer authorizes read actions on the database and table
Default Secure Setting: hive.security.metastore.authorization.auth.reads:true
Alternate Value or Change Command: false
Notes: None
File or command: hive-site.xml
Description: Names of authorization manager classes (comma-separated) to be used in the metastore for authorization.
Default Secure Setting: hive.security.metastore.authorization.manager:org.apache.hadoop.hive.ql.security.
authorization.StorageBasedAuthorizationProvider
Alternate Value or Change Command: None
Notes: The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider. All authorization manager classes have to successfully authorize the metastore API call for the command execution to be allowed.
File or command: hive-site.xml
Description: If true, the HiveServer2 WebUI is secured with PAM
Default Secure Setting: hive.server2.webui.use.pam=true
Alternate Value or Change Command: false
Notes: None
File or command: hive-site.xml
Description: Class for PAM authentication
Default Secure Setting: hive.server2.webui.pam.authenticator:org.apache.hive.http.security.PamAuthenticator
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Determines whether the metastore performs authorization checks against the underlying storage for operations such as drop-partition
Default Secure Setting: hive.metastore.authorization.storage.check.externaltable.drop:true
Alternate Value or Change Command: false
Notes: Disallow the drop-partition if the user in question does not have permissions to delete the corresponding directory on the storage
File or command: hive-site.xml
Description: Determines whether the metastore performs authorization checks against the underlying storage for operations such as drop-partition
Default Secure Setting: hive.metastore.authorization.storage.checks:false
Alternate Value or Change Command: true
Notes: Disallow the drop-partition if the user in question does not have permissions to delete the corresponding directory on the storage
File or command: hive-site.xml
Description: Client authentication types.
Default Secure Setting: hive.server2.authentication:PAM
Alternate Value or Change Command:
  • NONE: no authentication check – plain SASL transport
  • LDAP: LDAP/AD based authentication
  • KERBEROS: Kerberos/GSSAPI authentication
  • CUSTOM: Custom authentication provider (use with property hive.server2.custom.authentication.class)
  • PAM: Pluggable authentication module (added in Hive 0.13.0 with HIVE-6466)
  • NOSASL: Raw transport (added in Hive 0.13.0)
Notes: None
File or command: hive-site.xml
Description: Use this property in LDAP search queries for finding LDAP group names to which a user belongs
Default Secure Setting: hive.server2.authentication.ldap.groupClassKey:groupOfNames
Alternate Value or Change Command: None
Notes: Use this property to construct a LDAP group search query, and to indicate the objectClass of a group. Every LDAP group has a certain objectClass. For example: group, groupOfNames, and groupOfUniqueNames.
File or command: hive-site.xml
Description: LDAP attribute name on the group object that contains the list of distinguished names for the user, group, and contact objects that are members of the group.
Default Secure Setting: hive.server2.authentication.ldap.groupMembershipKey:member
Alternate Value or Change Command: None
Notes: For example: member, uniqueMember, or memberUid. Use this property in LDAP search queries when finding LDAP group names to which a particular user belongs. The value of the LDAP attribute as indicated by this property, should be a full DN for the user or the short username or userid.

For example, a group entry for fooGroup containing member : uid=fooUser,ou=Users,dc=domain,dc=com helps determine that fooUser belongs to LDAP group fooGroup.

See Group Membership for a detailed example. You can use this property to find the users, if a custom-configured LDAP query returns a group instead of a user (as of Hive 2.1.1). For details, see Support for Groups in Custom LDAP Query.
File or command: hive-site.xml
Description: This property indicates the prefix to use when building the bindDN for LDAP connection (when using only baseDN).
Default Secure Setting: hive.server2.authentication.ldap.guidKey:uid
Alternate Value or Change Command: None
Notes: bindDN is <guidKey>=<user/group>,<baseDN>. If the configuration uses userDNPattern and/or groupDNPattern, the guidKey is not required. The guidKey is required when only the baseDN is being used.
File or command: hive-site.xml
Description: When true, HiveServer2 in HTTP transport mode uses a cookie-based authentication mechanism.
Default Secure Setting: hive.server2.thrift.http.cookie.auth.enabled:true
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Sasl QOP value; set it to one of the following values to enable higher levels of protection for HiveServer2 communication with clients.
Default Secure Setting: hive.server2.thrift.sasl.qop:auth-conf
Alternate Value or Change Command: One of:
  • auth – authentication only (default)
  • auth-int – authentication plus
  • integrity protection auth-conf – authentication plus integrity and confidentiality protection
Notes: Note that setting hadoop.rpc.protection to a higher level than HiveServer2 does not make sense in most situations. HiveServer2 ignores hadoop.rpc.protection in favor of hive.server2.thrift.sasl.qop. This setting is applicable only if HiveServer2 is configured to use Kerberos authentication.
File or command: hive-site.xml
Description: Applies test settings for HS2 (for example for standard base authorization verification in FallbackHiveAuthorizer or in SQLAuthorizationUtils).
Default Secure Setting: hive.test.authz.sstd.hs2.mode:false
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Setting this property to true enables HiveServer2 to execute Hive operations as the user making the calls.
Default Secure Setting: hive.server2.enable.doAs=true
Alternate Value or Change Command: false
Notes: None
File or command: hive-site.xml
Description: Indicates whether metastore should use SSL
Default Secure Setting: hive.metastore.use.SSL:false
Alternate Value or Change Command: false
Notes: None
File or command: hive-site.xml
Description: SSL certificate keystore location.
Default Secure Setting: hive.server2.keystore.path:/opt/mapr/conf/ssl_keystore
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Set this to true to use SSL encryption in HiveServer2.
Default Secure Setting: hive.server2.use.SSL:true
Alternate Value or Change Command: false
Notes: None
File or command: hive-site.xml
Description: SSL certificate keystore location for HiveServer2 WebUI.
Default Secure Setting: hive.server2.webui.keystore.path:/opt/mapr/conf/ssl_keystore
Alternate Value or Change Command: None
Notes: None
File or command: hive-site.xml
Description: Set this to true to use SSL encryption for HiveServer2 WebUI.
Default Secure Setting: hive.server2.webui.use.ssl:true
Alternate Value or Change Command: true
Notes: None
File or command: hive-site.xml
Description: SSL protocols that need to be disabled
Default Secure Setting: hive.ssl.protocol.blacklist:SSLv2,SSLv3
Alternate Value or Change Command: None
Notes: None

Security Settings for HTTPFS

File or command: httpfs-site.xml
Description: PAM authentication for HttpFS
Default Secure Setting:
  • httpfs.hadoop.authentication.type:multiauth
  • httpfs.authentication.type:multiauth
Alternate Value or Change Command: None
Notes: None
File or command: httpfs-site.xml
Description: User impersonation for HttpFS
Default Secure Setting:
  • httpfs.proxyuser.mapr.hosts:*
  • httpfs.proxyuser.mapr.groups:*
Alternate Value or Change Command: None
Notes: None

Security Settings for Hue

File or command: hue.ini
Description: Configure HTTPS for Hue UI
Default Secure Setting:
[desktop]
  ssl_certificate=${ssl_certificate}
  ssl_private_key=${ssl_private_key}
  ssl_password_script=${HUE_HOME}/bin/ssl_password_script.sh
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true

cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure

HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi

The password for the SSL private key is parsed from the /opt/mapr/conf/ssl-server.xml file with the ${HUE_HOME}/bin/ssl_password_script.sh script.

File or command: hue.ini
Description: Path to PEM truststore, and option to enable/disable certificate verification for SSL-encrypted connections to other services (RM, HS, NM, Spark HS, Oozie, Livy, HBase, Hive, Impala)
Default Secure Setting:
[desktop] 
  ssl_cacerts=${ssl_cacerts} 
  ssl_validate=${ssl_validate}    
Alternate Value or Change Command: true
Notes: Values are picked in the same way, as values for the previous parameter. Also, the installer overrides this property with value false by creating the following file:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/30installer

# Do not edit this file. It was generated automatically by MapR Installer.
# Disable certificate verification, as Installer allows to use node IPs instead of proper hostnames:
export ssl_cacerts=""
export ssl_validate="false"
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for YARN (RM, NM, HS, Spark HS)
Default Secure Setting:
[hadoop]
  [[yarn_clusters]]
    [[[default]]]
      # ...
      # Change this if your YARN cluster is secured
      # security_enabled=${security_enabled}
      # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
      # mechanism=${mechanism}
      # In secure mode(HTTPS), if SSL certificates from Resource Manager's
      # Rest Server have to be verified against certificate authority
      # ssl_cert_ca_verify=false
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for HttpFS
Default Secure Setting:
[hadoop]
  [[hdfs_clusters]]
    [[[default]]]
      ...
      # Change this if your HDFS cluster is secured
      security_enabled=${security_enabled}
      # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
      mechanism=${mechanism}
      # Enable mutual SSL authentication
      # mutual_ssl_auth=False
      # Certificate for SSL connection
      # ssl_cert=keys/cert.pem
      # Private key for SSL connection
      # ssl_key=keys/hue_private_keystore.pem
      # In secure mode (HTTPS), if SSL certificates from YARN Rest APIs
      # have to be verified against certificate authority
      ## ssl_cert_ca_verify=True
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for Oozie
Default Secure Setting:
[liboozie] ... 
# Requires FQDN in oozie_url if enabled
security_enabled=${security_enabled} 
# Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY 
mechanism=${mechanism}
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for Livy
Default Secure Setting:
[spark] ... 
  # Whether Livy requires client to perform Kerberos authentication.
  security_enabled=${security_enabled} 
  # Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY 
  mechanism=${mechanism}
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for Hive
Default Secure Setting:
[beeswax] ... 
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
    mechanism=${mechanism}

  # For secure cluster:
 
  # Use SASL framework to establish connection to host.
    use_sasl=true
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for HBase Thrift (Data Fabric DB)
Default Secure Setting:
[hbase] ... 
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=${mechanism}
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: Configure Hue to use MapR-SASL for Drill
Default Secure Setting:
[librdbms]
  [[databases]]
    # ...
    [[[drill]]]
      # ...
      # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
      mechanism=${mechanism}
Alternate Value or Change Command: true
Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
 
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
  export mechanism=${mechanism:-"MAPR-SECURITY"}
  export security_enabled=${security_enabled:-"true"}
  export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
  export ssl_validate=${ssl_validate:-"true"}
  export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
  export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
File or command: hue.ini
Description: PAM/LDAP authentication between Hue and Hive
Default Secure Setting:
[desktop]
  # ...
  # Default LDAP/PAM/.. username and password of the Hue user used for authentication with other services.
  # Inactive if password is empty.
  # e.g. LDAP pass-through authentication for HiveServer2 or Impala.
  # Apps can override them individually.
  auth_username=${MAPR_USER}
  auth_password=<user_password>
 ...

[beeswax]
  # ...
  # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
  mechanism=none
Alternate Value or Change Command: true
Notes: None
File or command: hue.ini
Description: PAM/LDAP authentication between Hue and Drill
Default Secure Setting:
[librdbms]
  [[databases]]
    # ...   
    [[[drill]]]
      # ... 
      # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
      mechanism=none
      # Username to authenticate with when connecting to the database.
      # Used with plain authentication (mechanism set to "none").
      user=<username>
      # Password matching the username to authenticate with when
      # connecting to the database.
      # Used with plain authentication (mechanism set to "none").
      password=<password>
      # Execute this script to produce the database password.
      # This will be used when password is required and `password` is not set.
      # password_script=
Alternate Value or Change Command: true
Notes: None
File or command: hue.ini
Description: User impersonation between Hue and YARN services (RM, NM, HS) + Spark HS
Default Secure Setting: Enabled by default
Alternate Value or Change Command: false
Notes: Hue always send requests to RM, NM, HS and SparkHS with the doAs=<impersonation_target> parameter
File or command: hue.ini
Description: User impersonation between Hue and HttpFS
Default Secure Setting: Enabled by default
Alternate Value or Change Command: false
Notes: Hue always send requests to HttpFS with the doAs=<impersonation_target> parameter
File or command: hue.ini
Description: User impersonation between Hue and Oozie
Default Secure Setting: Enabled by default
Alternate Value or Change Command: false
Notes: Hue always send requests to Oozie with the doAs=<impersonation_target> parameter
File or command: hue.ini
Description: User impersonation between Hue and Livy
Default Secure Setting: Enabled by default
Alternate Value or Change Command: false
Notes: Hue always send requests to Livy with the the proxyUser=<impersonation_target> option
File or command: hue.ini
Description: User impersonation between Hue and Hive
Default Secure Setting: true (enabled)
Alternate Value or Change Command: false
Notes: Hue automatically detects impersonation settings of Hive from hive-site.xml
File or command: hue.ini
Description: User impersonation between Hue and HBase Thrift (Data Fabric DB)
Default Secure Setting: false (disabled)
Alternate Value or Change Command: false
Notes: Hue automatically detects impersonation settings of Hive from hbase-site.xml
File or command: hue.ini
Description: User impersonation between Hue and Drill
Default Secure Setting:
[librdbms]
  [[databases]]
    # ...
    [[[drill]]]
      # ...
      # Available options:
      # "impersonation" to enable or disable outbound impersonation.
      # "principal" of Drill service. Used when Kerberos authentication is enabled.
      options='{"impersonation":true}
Alternate Value or Change Command: true
Notes: None
File or command: hue.ini
Description: Authenticating Hue users with LDAP credentials
Default Secure Setting: TDB
Alternate Value or Change Command: None
Notes: None
File or command: hue.ini
Description: Determines which authentication method to use: search and bind, or direct bind
Default Secure Setting: search_bind_authentication
Alternate Value or Change Command: None
Notes: When set to true, Hue performs an LDAP search using bind_dn and bind_password as provided in hue.ini. The search can be further limited by the search filter user_filter. When set to false, Hue performs a direct bind to LDAP using the credentials provided from one of these sources:
  • The UPN, formed by concatenating <shortname> (the user name provided on the Hue login page) and nt_domain (if nt_domain is specified)
  • The ldap_username_pattern (if nt_domain is not specified)
File or command: hue.ini
Description: The NT domain to connect. This parameter is only used with Active Directory.
Default Secure Setting: nt_domain
Alternate Value or Change Command: None
Notes: Used with the direct bind method of authentication. If nt_domain is specified, then ldap_username_pattern is ignored.
File or command: hue.ini
Description: Used to connect to directory services other than Active Directory.
Default Secure Setting: ldap_username_pattern
Alternate Value or Change Command: None
Notes: Used with the direct bind method of authentication. Usually takes the form cn=<username>,dc=example,dc=com
File or command: hue.ini
Description: The backend to use for authenticating users.
Default Secure Setting: backend
Alternate Value or Change Command: None
Notes: Set it to desktop.auth.backend.LdapBackend for Hue authentication.
File or command: hue.ini
Description: Configure Hue with HiveServer2 High Availability
Setting:
[beeswax]
  #Whether to use service discovery for llap.
  hive_discovery_llap = true
  #Is llap (hive server interactive) running in HA.
  hive_discovery_llap_ha = true
  #Whether to use service discovery for HiveServer2.
  hive_discovery_hs2 = true
[libzookeeper]
  #ZooKeeper ensemble; comma-separated list of host/port.
  ensemble=<host:port>:5181
Notes: None

Security Settings for Drill

File or command: drill-override.conf
Description: Determines if encryption on the server is enabled for negotiating privacy with the Drill client.
Default Secure Setting: drill.exec.security.user.encryption.sasl.enabled=false
Alternate Value or Change Command: true
Notes: None.
File or command: drill-override.conf
Description: Determines if the server is enabled for negotiating privacy with another Drillbit.
Default Secure Setting: drill.exec.security.bit.encryption.ssl.enabled=true
Alternate Value or Change Command: false
Notes: None.
File or command: drill-override.conf
Description: TLS/SSL versions allowed
Default Secure Setting: drill.exec.impersonation.ssl.protocol: TLSv1.2
Alternate Value or Change Command: Other versions are possible
Notes: None.
File or command: drill-override.conf
Description: Format of the keystore file
Default Secure Setting: javax.net.ssl.keyStoreType: JKS
Alternate Value or Change Command: jks, jceks, pkcs12
Notes: None.
File or command: drill-override.conf
Description: Location of the Java keystore file
Default Secure Setting: drill.exec.ssl.keyStorePath
Alternate Value or Change Command: ssl.server.keystore.location: /opt/mapr/conf/ssl_keystore
Notes: Using it from HPE Ezmeral Data Fabric Hadoop properties, leveraging it from drill-distrib.conf property drill.exec.ssl.useHadoopConfig: true
File or command: drill-override.conf
Description: Password to access the private key from the keystore file.
Default Secure Setting: drill.exec.ssl.keyStorePassword
Alternate Value or Change Command: ssl.server.keystore.password
Notes: Using it from HPE Ezmeral Data Fabric Hadoop properties, leveraging it from drill-distrib.conf property drill.exec.ssl.useHadoopConfig: true
File or command: drill-override.conf
Description: Format of the truststore file
Default Secure Setting: drill.exec.ssl.trustStoreType: JKS
Alternate Value or Change Command: jks, jceks, pkcs12
Notes: None
File or command: drill-override.conf
Description: Location of the Java keystore file containing the collection of CA certificates trusted by the Drill client.
Default Secure Setting: drill.exec.ssl.trustStorePath
Alternate Value or Change Command: ssl.server.truststore.location: /opt/mapr/conf/ssl_truststore
Notes: None
File or command: drill-override.conf
Description: Password to access the private key from the keystore file specified as the truststore
Default Secure Setting: drill.exec.ssl.trustStorePassword
Alternate Value or Change Command: ssl.server.truststore.password
Notes: None
File or command: drill-distrib.conf
Description: Changes the underlying implementation to the chosen value
Default Secure Setting: drill.exec.ssl.provider: JDK
Alternate Value or Change Command: OpenSSL/JDK
Notes: None
File or command: drill-distrib.conf
Description: Use HPE Ezmeral Data Fabric SSL trust and key store
Default Secure Setting: drill.exec.ssl.useHadoopConfig
Alternate Value or Change Command: true
Notes: None
File or command: drill-distrib.conf
Description: Drill Web UI HTTPS protocol for encryption
Default Secure Setting: drill.exec: { http.ssl_enabled: true, ssl.useHadoopConfig: true }
Alternate Value or Change Command: Default from Drill 1.13
Notes: None
File or command: drill-distrib.conf
Description: Zookeeper znode ACL for Drill cluster info and query info
Default Secure Setting: zk.apply_secure_acl: true
Alternate Value or Change Command: false
Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in drill-distrib.conf. drill.exec.zk.apply_secure_acl: true
File or command: drill-distrib.conf
Description: Drill user impersonation, needed for Data Fabric DB to work properly with CF access
Default Secure Setting: drill.exec.impersonation.enabled: true
Alternate Value or Change Command: false
Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in drill-distrib.conf. drill.exec.impersonation.enabled: true, also see impersonation inbound policies for information on setting which users can impersonate others.
File or command: drill-override.conf
Description: Drill user impersonation, maximum number of hops - when one user creates a view on data and shares with other, how many hops are allowed
Default Secure Setting: drill.exec.impersonation.max_chained_user_hops: 3
Alternate Value or Change Command: Other numeric values
Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in drill-distrib.conf.
File or command: drill-override.conf
Description: Authentication mechanisms
Default Secure Setting: drill.exec.security.auth.mechanisms: ["MAPRSASL", "PLAIN"]
Alternate Value or Change Command: KERBEROS
Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in drill-distrib.conf.
File or command: drill-override.conf
Description: End user encryption mechanism
Default Secure Setting: drill.exec.security.user.encryption.sasl.enabled: true
Alternate Value or Change Command: Can set drill.exec.security.user.encryption.ssl.enabled: true
Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in drill-distrib.conf.

To use SSL, set drill.exec.security.user.encryption.ssl.enabled: true.

To use PLAIN (user/pass) authentication, SASL encryption cannot be set to true. You have to set SSL encryption to use PLAIN authentication. You can also use HPE Ezmeral Data Fabric tickets (SASL) with SSL encryption, but only with SSL encryption for both.

Security Settings for Spark

File or command: spark-defaults.conf
Description: SSL option for file download client (used to download jars and files from HTTPS-enabled servers).
Default Secure Setting: spark.ssl.fs.enabled true
Alternate Value or Change Command: https://spark.apache.org/docs/2.3.1/security.html
Notes: None
File or command: spark-defaults.conf
Description: The password to the private key in the key store.
Default Secure Setting: spark.ssl.keyPassword <ssl-keystore-password>
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: Path to the key store file. The path can be absolute or relative to the directory in which the process is started.
Default Secure Setting: · spark.ssl.keyStore /opt/mapr/conf/ssl_keystore
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: Password to the key store.
Default Secure Setting: · spark.ssl.keyStorePassword <ssl-keystore-password>
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: Path to the trust store file. The path can be absolute or relative to the directory in which the process is started.
Default Secure Setting: · spark.ssl.trustStore /opt/mapr/conf/ssl_truststore
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: Password for the trust store.
Default Secure Setting: · spark.ssl.trustStorePassword <ssl-truststore-password>
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: The TLS protocol to use. The protocol must be supported by the JVM.
Default Secure Setting: · spark.ssl.protocol TLSv1.2
Alternate Value or Change Command: None
Notes: None
File or command: spark-defaults.conf
Description: Configure encryption for the Spark HTTP file and broadcast servers
Default Secure Setting: spark.ssl.enabledAlgorithms TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
Alternate Value or Change Command: None
Notes: None

Security Settings for Livy

File or command: livy.conf
Description: MapR-SASL authentication
Default Secure Setting: livy.server.auth.type = multiauth
Alternate Value or Change Command: true
Notes: None
File or command: livy.conf
Description: User impersonation with Livy
Default Secure Setting:

livy.impersonation.enabled = true

livy.superusers = <MAPR_USER>
Alternate Value or Change Command: true
Notes: None
File or command: livy.conf
Description: HTTPS
Default Secure Setting:
livy.keystore
livy.keystore.password
livy.key-password
Alternate Value or Change Command: true
Notes: Values automatically filled on runtime using com.mapr.web.security.WebSecurityManager

Security Settings for Tez

File or command: /opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/server.xml
Description: SSL Config for Tez
Default Secure Setting: <Connector port="9444" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keyAlias="edl-dev-r01-tezui" keystoreFile="/opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/bdx1xxx0125.xxxxx.com.jks" keystorePass="xxxxxxxxxx" keystoreType="JKS" clientAuth="false" sslProtocol="TLS" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" />
Alternate Value or Change Command: None
Notes: Tez UI redirectPort value changed to 9444 (default value 8443 conflicts with the Control System)
File or command: /opt/mapr/elasticsearch/elasticsearch-5.4.1/usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml
Description: Kibana and ElasticSearch login account and password file
Default Secure Setting: admin:hash: <$2a$12$6ASxMQEBKYPyGUc10RyleOhz3c8RrvPGb7oqLC9xGGwPxJFwOLJtq>
Alternate Value or Change Command: https://docs.datafabric.hpe.com/home/AdministratorGuide/Changing_Password_for_ES_Kibana.html
Notes: None
File or command: /opt/mapr/conf/ssl_truststore* and /opt/mapr/conf/ssl_keystore*
Description: SSL Keys
Default Secure Setting: Created at install, should rarely change, used by all web and REST HTTPS interfaces.
Alternate Value or Change Command: Add site specific certificates with keytool utiliity
Notes: None

Security Settings for Grafana

File or command: /opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini
Description: Certificate File
Default Secure Setting: /opt/mapr/grafana/grafana-4.6.1/etc/grafana/cert.pem
Alternate Value or Change Command: None
Notes: None
File or command: /opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini
Description: Certificate Key
Default Secure Setting: /opt/mapr/grafana/grafana-4.6.1/etc/grafana/key.pem
Alternate Value or Change Command: None
Notes: None