Configuring Secure Clusters for Running Commands Remotely

Describes how to configure secure clusters to access them all from a single cluster and run commands remotely on them.

About this task

You can configure a number of secure clusters to access them all from one cluster. You need not log into each secure cluster separately and run maprcli commands locally on them.

For example, suppose you need to manage two secure clusters, clusterA and clusterB. One method is to log into each cluster separately and run commands locally on each. However, it is possible to log into clusterA only and manage both clusters from clusterA, running commands locally for clusterA and remotely for clusterB. When you type the maprcli commands, you must use the -cluster parameter in those commands to specify the cluster on which you want the commands to run.

You can configure the secure clusters for remote access manually (as described in the following section) or automatically by running the configure-crosscluster.sh utility. If you run the configure-crosscluster.sh utility, the utility configures the clusters for running commands remotely in both directions. See configure-crosscluster.sh for more information.

Prerequisite

About this task

Ensure that you have the relevant ports open for secure cluster communication.

Setting Up Secure Clusters Manually for Cross-Cluster Access

About this task

To manually configure two secure clusters for remote access:

Procedure

  1. Log in to the secure cluster from which you want to run commands.
    In the rest of this procedure, this cluster is referred to as clusterA and the remote cluster is referred to as clusterB.
  2. Configure clusterA for communicating with the other clusters by editing mapr-clusters.conf file on each node clusterA to specify the hostname or IP address of the CLDB nodes on the other clusters.
    For example, suppose:
    • clusterA’s /opt/mapr/conf/mapr-clusters.conf file contains the following: 
      clusterA.cluster.com secure=true perfnode50.lab:7222
    • clusterB’s /opt/mapr/conf/mapr-clusters.conf file contains the following: 
      clusterB.cluster.com secure=true perfnode100.lab:7222

    Perform the following steps to configure the nodes on the clusters:

    1. On any node in clusterA, append the first entry from clusterB’s mapr-clusters.conf file, entry which is prefixed with the cluster name, to the end of clusterA’s mapr-clusters.conf file.
      Note that clusterA’s entry must be the first line of the mapr-clusters.conf file: 
      clusterA.cluster.com secure=true perfnode50.lab:7222
clusterB.cluster.com secure=true perfnode100.lab:7222
      The clusterA’s mapr-clusters.conf file now contains two entries.
    2. Copy the updated /opt/mapr/conf/mapr-clusters.conf file to all the other nodes in clusterA.
    3. On any node in clusterB, append the first entry from clusterA’s mapr-clusters.conf file, entry which is prefixed with the cluster name, to the end of the remote cluster’s mapr-clusters.conf file.
      Note that clusterB’s entry must be the first line of mapr-clusters.conf file: 
      clusterB.cluster.com secure=true perfnode100.lab:7222
clusterA.cluster.com secure=true perfnode50.lab:7222
      The clusterB’s mapr-clusters.conf file now contains two entries.
    4. Copy the updated /opt/mapr/conf/mapr-clusters.conf file to all the nodes in clusterB.
    See mapr-clusters.conf.
  3. Perform the following steps on clusterA to ensure that the ssl_truststore file has signers for all the clusters:
    1. Copy the ssl_truststore from the /opt/mapr/conf directory of clusterB into a temporary directory on clusterA.
      For example: 
      # scp mapr@<remote-ip>:/opt/mapr/conf/ssl_truststore /tmp/clusterB_ssl_truststore
    2. Merge the ssl_truststore of clusterB with the ssl_truststore of clusterA using the /opt/mapr/server/manageSSLKeys.sh utility.
      For example, if you copied the ssl_truststore file of clusterB as /tmp/clusterB_ssl_truststore, run the following command to merge the files: 
      /opt/mapr/server/manageSSLKeys.sh merge /tmp/clusterB_ssl_truststore /opt/mapr/conf/ssl_truststore
    3. Copy the merged ssl_truststore file to every node on clusterA.
  4. Perform the following steps on clusterB only if you want to set up access to clusterA from clusterB:
    1. Copy the ssl_truststore from the /opt/mapr/conf directory of clusterA into a temporary directory on clusterB.
      For example: 
      # scp mapr@<remote-ip>:/opt/mapr/conf/ssl_truststore /tmp/clusterA_ssl_truststore
    2. Merge the ssl_truststore of clusterB with the ssl_truststore of clusterA using the /opt/mapr/server/manageSSLKeys.sh utility.
      For example, if you copied the ssl_truststore file of clusterA as /tmp/clusterA_ssl_truststore, run the following command to merge the files: 
      /opt/mapr/server/manageSSLKeys.sh merge /tmp/clusterA_ssl_truststore /opt/mapr/conf/ssl_truststore
    3. Copy the merged ssl_truststore file to every node on clusterB.
  5. For crossclusters to work using the Control System, place the mapruserticket of the remote cluster into the local cluster.
    1. Generate a mapruserticket for the remote cluster as mapr user: 
      maprlogin password -cluster demo
[Password for user 'mapr' at cluster 'demo': ]
MapR credentials of user 'mapr' for cluster 'demo' are written to '/tmp/maprticket_5000'
    2. Merge the generated maprticket: 
      cat /tmp/maprticket_5000 >>/opt/mapr/conf/mapruserticket
  6. Verify access by running remote commands on clusterA.
    See Verifying Access to run Remote Commands.

Verifying Access to run Remote Commands

Procedure

  1. Log in to any node on clusterA and run the maprlogin utility from clusterA to obtain user ticket for accessing the remote cluster.
    For example, to obtain tickets for managing the remote cluster from clusterA, run the following command:: 
    # /opt/mapr/bin/maprlogin password -cluster clusterB.cluster.com
  2. Verify access by running remote commands on clusterA.
    For example, the following command, executed from a node in clusterA, lists the volumes on clusterB: 
    # /opt/mapr/bin/maprcli volume list -cluster clusterB.cluster.com