Configuring YARN with Kerberos

Lists the process to use YARN with Kerberos.

Make sure that the following tasks are already completed, as directed in earlier sections of this guide:

Enabling Wire-level Security by running configure.sh with the security options.
Configuring Kerberos by creating a Kerberos principle and keytab file.

NOTE

To enable YARN REST SPNEGO, see Configuring SPNEGO on Data Fabric.

Now complete the following tasks.

Configure the yarn-site.xml File

Add the following properties to the yarn-site.xml file on every node in the cluster.

/opt/mapr/hadoop/hadoop-<version>/etc/hadoop/yarn-site.xml

NOTE

You need to use /opt/mapr/conf/mapr.keytab for the keytab property, and mapr instead of yarn for the principal property.

<!-- ResourceManager security configs -->
<property>
 <name>yarn.resourcemanager.keytab</name>
 <value>/opt/mapr/conf/mapr.keytab</value>    <!-- path to the YARN keytab -->
 
</property>
<property>
 <name>yarn.resourcemanager.principal</name>
 <value>mapr/clustername@YOUR-REALM.COM</value>
</property>
 
<!-- NodeManager security configs -->
<property>
 <name>yarn.nodemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value>    <!-- path to the YARN keytab -->
 
</property>
<property>
 <name>yarn.nodemanager.principal</name>
 <value>mapr/clustername@YOUR-REALM.COM</value>
</property>
<property>
 <name>yarn.nodemanager.container-executor.class</name>
 <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
 <name>yarn.nodemanager.linux-container-executor.group</name>
 <value>mapr</value>
</property>

Configure the mapred-site.xml File

Add the following properties to the mapred-site.xml file on every node in the cluster.

/opt/mapr/hadoop/hadoop-2.7.0/etc/hadoop/mapred-site.xml

Note that you need to use /opt/mapr/conf/mapr.keytab for the keytab property and mapr instead of yarn for the principal property.

<!-- MapReduce Job History Server security configs -->
<property>
  <name>mapreduce.jobhistory.address</name>
  <value>host:port</value> <!-- Host and port of the MapReduce Job History Server; default port is 10020  -->
</property>
<property>
  <name>mapreduce.jobhistory.keytab</name>
  <value>/opt/mapr/conf/mapr.keytab</value><!-- path to the YARN keytab -->          
</property>
<property>
  <name>mapreduce.jobhistory.principal</name>
  <value>mapr/clustername@YOUR-REALM.COM</value>
</property>

Modifying the env_override.sh File

Either the /opt/mapr/conf/env.sh file or the /opt/mapr/conf/env_override.sh file contains a setting for HPE Ezmeral Data Fabric login option that defaults to the value maprsasl. Change this value to hybrid, which includes Kerberos and other security protocols. For more information about the env_override.sh file, see About env_override.sh.

The new line (after the change) should be as follows:

MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"

Restart ResourceManager, NodeManager, and JobHistoryServer

Restart the NodeManager, ResourceManager, and JobHistoryServer services, using either the maprcli node services command (with the name option) or the Control System. After restarting the services, make sure you can run simple Hadoop jobs by running:

hadoop jar /opt/mapr/hadoop/hadoop-<version>/share/hadoop/mapreduce/hadoop-mapreduce-examples-<version>.jar pi

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0