General Security for Ecosystem Components
Ecosystem components in HPE Ezmeral Data Fabric use the Java Authentication and Authorization Service (JAAS) for security configuration.
/opt/mapr/conf/mapr.login.conf
file-defines JAAS configurationsMAPR_ECOSYSTEM_LOGIN_OPTS
environment variable in the/opt/mapr/conf/env.sh
file-specifies the JAAS configuration used by installed Ecosystem components
NOTE
See the Ecosystem Guide for
component-specific security configuration information. When security is enabled, the
value of the MAPR_ECOSYSTEM_LOGIN_OPTS
is modified to include the
hybrid
JVM option for hadoop.login
. This is
equivalent to setting the -Dhadoop.login=hybrid
flag at the command
line. This setting specifies a mixed security environment using Kerberos and MapR
tickets.
The mapr.login.conf
file has two stanzas for hybrid security:
/**
* authenticate using hybrid of kerberos and MapR
* maprticket must already exist on filesystem as MapR login module
* cannot get kerberos identity from subject for implicit login.
*/
hadoop_hybrid {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
useTicketCache=true
renewTGT=true
doNotPrompt=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};
hadoop_hybrid_keytab {
org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
refreshKrb5Config=true
doNotPrompt=true
useKeyTab=true
storeKey=true;
com.mapr.security.maprsasl.MaprSecurityLoginModule required
checkUGI=false
useServerKey=true;
org.apache.hadoop.security.login.GenericOSLoginModule required;
org.apache.hadoop.security.login.HadoopLoginModule required
principalPriority=com.mapr.security.MapRPrincipal;
};