Configuring YARN with Kerberos
Lists the process to use YARN with Kerberos.
-
Enabling Wire-level Security by running
configure.sh
with the security options. - Configuring Kerberos by creating a Kerberos principle and keytab file.
Now complete the following tasks.
Configure the yarn-site.xml File
Add the following properties to the yarn-site.xml
file on every node in
the cluster.
/opt/mapr/hadoop/hadoop-<version>/etc/hadoop/yarn-site.xml
/opt/mapr/conf/mapr.keytab
for the
keytab
property, and mapr
instead of
yarn
for the principal
property.<!-- ResourceManager security configs -->
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the YARN keytab -->
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>mapr/clustername@YOUR-REALM.COM</value>
</property>
<!-- NodeManager security configs -->
<property>
<name>yarn.nodemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value> <!-- path to the YARN keytab -->
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>mapr/clustername@YOUR-REALM.COM</value>
</property>
<property>
<name>yarn.nodemanager.container-executor.class</name>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
<name>yarn.nodemanager.linux-container-executor.group</name>
<value>mapr</value>
</property>
Configure the mapred-site.xml File
Add the following properties to the mapred-site.xml
file on every node in
the cluster.
/opt/mapr/hadoop/hadoop-2.7.0/etc/hadoop/mapred-site.xml
Note that you need to use /opt/mapr/conf/mapr.keytab
for the
keytab
property and mapr
instead of
yarn
for the principal
property.
<!-- MapReduce Job History Server security configs -->
<property>
<name>mapreduce.jobhistory.address</name>
<value>host:port</value> <!-- Host and port of the MapReduce Job History Server; default port is 10020 -->
</property>
<property>
<name>mapreduce.jobhistory.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value><!-- path to the YARN keytab -->
</property>
<property>
<name>mapreduce.jobhistory.principal</name>
<value>mapr/clustername@YOUR-REALM.COM</value>
</property>
Modifying the env_override.sh File
Either the /opt/mapr/conf/env.sh
file or the
/opt/mapr/conf/env_override.sh
file contains a setting for HPE Ezmeral Data Fabric
login option that defaults to the value maprsasl
. Change this value to
hybrid
, which includes Kerberos and other security protocols. For more
information about the env_override.sh
file, see About env_override.sh.
The new line (after the change) should be as follows:
MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"
Restart ResourceManager, NodeManager, and JobHistoryServer
maprcli node services
command (with the name
option) or
the Control System. After restarting the services, make sure you can run simple Hadoop jobs by
running:hadoop jar /opt/mapr/hadoop/hadoop-<version>/share/hadoop/mapreduce/hadoop-mapreduce-examples-<version>.jar pi