Using the Enable Secure Cluster Option

You use the Enable Secure Cluster option to control whether or not the cluster is configured as a secure cluster.

This option appears on the Version & Services page of the web-based Installer.

IMPORTANT
Deselecting the Enable Secure Cluster option is not supported for releases 7.0.0 and later. In releases 7.0.0 and later, security is enforced by default, and nonsecure clusters are not supported.

About the Enable Secure Cluster Option

Using this option controls platform and ecosystem security in a cluster. When you select the option, the Installer runs the configure.sh script on the primary container location database (CLDB) to generate security keys and then distributes the keys to all the other CLDBs. The installer also distributes certificates to all the other nodes and activates security for the ecosystem components that support security.

Certain ecosystem components either do not support security or cannot be secured by the Installer. If you enable security, you will not be allowed to select services such as Impala or Sentry.

Beginning with Release 6.1, data-on-wire encryption is enabled by default for newly created volumes when the Enable Secure Cluster option is selected. Data-on-wire encryption encrypts data in a volume during transmission over the wire. In a secure cluster, you can enable or disable data-on-wire encryption for individual volumes using the Control System, the maprcli, or the REST API commands.

Using the Option With New and Already Installed Clusters

You can select or deselect the Enable Secure Cluster option during a new installation or during an Incremental Install.
  • For new installations:
    • The option is selected by default, meaning that new installations are configured with security unless you deselect the option.
    • Deselecting the option causes the cluster to be installed as a nonsecure cluster.
  • For clusters that are already installed with EEP 4.0.0 or later:
    • You can select or deselect the option during an Incremental Install:
      • If security is not currently configured and you select the option, the cluster will be configured with security.
      • If security is already configured, you can remove security by deselecting the option.
        NOTE
        If Drill is installed, be sure to review the limitations described in Securing Drill before removing security. Additional steps must be taken so that Drill in a nonsecured cluster can access all Drill znodes.

Using the Option During an Incremental Install

Normally, Incremental Install operations are conducted online. However, selecting or deselecting the Enable Secure Cluster option during an Incremental Install requires the Installer to stop the Warden and Zookeeper services, bringing the cluster offline temporarily.

NOTE
See Enabling Security on a Configured Cluster to enable security for non-secure clusters.

In some instances, the Enable Secure Cluster option is unavailable. For example, you cannot select this option during an upgrade of a non-secure Release 5.x cluster to Release 6.0 or later. You must complete the upgrade to Release 6.0 or later first and then use the Incremental Install function to enable security.