Lists the security settings for all HPE Ezmeral Data Fabric ecosystem components.
The security settings for the various ecosystem components are as follows:
Security Settings for Hadoop/Yarn
- File or command:
core-default.xml
- Description: Authentication used for the HTTP web-consoles
- Default Secure Setting:
hadoop.http.authentication.type:org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
- Alternate Value or Change Command: simple | kerberos |
#AUTHENTICATION_HANDLER_CLASSNAME#
- Notes: None
- File or command:
core-default.xml
- Description: Custom principal of the service
- Default Secure Setting:
hadoop.security.custom.auth.principal.class:com.mapr.security.MapRPrincipal
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: LDAP Configuration
- Default Secure Setting:
hadoop.security.group.mapping.ldap.search.filter.user:(&(objectClass=user)(sAMAccountName={0}))
- Alternate Value or Change Command: None
- Notes: An additional filter to use when searching for LDAP users. The default
filter is usually appropriate for Active Directory installations. If connecting to an
LDAP server with a non-AD schema, replace the default filter with
(&(objectClass=inetOrgPerson)(uid={0})
. {0} is a special string
used to denote where the username fits into the filter. If the LDAP server supports
posixGroups, Hadoop can enable the feature by setting the value of this property to
posixAccount and the value of the
hadoop.security.group.mapping.ldap.search.filter.group
property to
posixGroup.
- File or command:
core-default.xml & core-site.xml
- Description: Client authentication types
- Default Secure Setting:
hadoop.security.authentication: CUSTOM
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Java class that handles HTTP auth secret
- Default Secure Setting:
hadoop.http.authentication.signature.secret:com.mapr.security.maprauth.MaprSignatureSecretFactory
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Group authentication cache duration
- Default Secure Setting:
hadoop.security.groups.cache.secs:300
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Name of the SignerSecretProvider class to use
- Default Secure Setting:
hadoop.http.authentication.signer.secret.provider:org.apache.hadoop.security.authentication.util.MapRSignerSecretProvider
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Service that manages the HPE Ezmeral Data Fabric ticket
- Default Secure Setting:
yarn.external.token.manager:com.mapr.hadoop.yarn.security.MapRTicketManager
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: OS security random device file path
- Default Secure Setting:
hadoop.security.random.device.file.path:/dev/urandom
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Key to set if the registry is secure
- Default Secure Setting: hadoop.registry.secure:false
- Alternate Value or Change Command: true
- Notes: Turning it on, changes the permissions policy from
open
access
to restrictions on kerberos with the option of a user adding one or
more auth key pairs down their own tree.
- File or command:
core-default.xml & core-site.xml
- Description: Authentication class name
- Default Secure Setting:
hadoop.log.level.authenticator.class:com.mapr.security.maprauth.MaprAuthenticator
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description:Indicates if administrator ACLs are required to access
instrumentation servlets (JMX, METRICS, CONF, STACKS)
- Default Secure Setting:
hadoop.security.instrumentation.requires.admin:false
- Alternate Value or Change Command: true
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description:The keystores factory to use for retrieving certificates
- Default Secure Setting:
hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Comma-separated list of crypto codec implementations for
AES/CTR/NoPadding
- Default Secure Setting:
hadoop.security.crypto.codec.classes.aes.ctr.nopadding:org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: The attribute of the group object that identifies the users that
are members of the group.
- Default Secure Setting:
hadoop.security.group.mapping.ldap.search.attr.member:member
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Logs a warning message, if looking up a single user to group takes
longer than the specified number of milliseconds
- Default Secure Setting: hadoop.security.groups.cache.warn.after.ms:5000
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: The attribute applied to the LDAP Search Control properties to set
a maximum time limit when searching and waiting for a result
- Default Secure Setting:
hadoop.security.group.mapping.ldap.directory.search.timeout:10000
- Alternate Value or Change Command: The unit is in milliseconds. Set to
0
if an infinite wait period is desired. Default is
10
seconds.
- Notes: None
- File or command:
core-site.xml
- Description: HPE Ezmeral Data Fabric service account ("mapr") impersonation
- Default Secure Setting:
hadoop.proxyuser.mapr.hosts:*
hadoop.proxyuser.mapr.groups:*
- Alternate Value or Change Command: None
- Notes: Set by default in version 6.1 secure install.
- File or command:
yarn-site.xml
- Description: Defines the authentication used for the timeline server HTTP
endpoint.
- Default Secure Setting:
yarn.timeline-service.http-authentication.type:com.mapr.security.maprauth.MaprDelegationTokenAuthenticationHandler
- Alternate Value or Change Command: Supported values are:
simple / kerberos / #AUTHENTICATION_HANDLER_CLASSNAME
# Defaults to simple.
- Notes: None.
- File or command:
yarn-default.xml
- Description: The allowed pattern for UNIX user names enforced by the
Linux-container-executor when used in Nonsecure mode (use case for this is using
cgroups).
- Default Secure Setting:
yarn.nodemanager.linux-container-executor.nonsecure-mode.user-pattern:^[_.A-Za-z0-9][-@_.A-Za-z0-9]{0,255}?[$]?$
- Alternate Value or Change Command: None
- Notes: The default value is taken from
/usr/sbin/adduser
.
- File or command:
core-default.xml & core-site.xml
- Description: Indicates whether or not to use SSL when connecting to the LDAP
server.
- Default Secure Setting:
hadoop.security.group.mapping.ldap.ssl:false
- Alternate Value or Change Command: true
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: An additional filter to use when searching for LDAP groups
- Default Secure Setting:
hadoop.security.group.mapping.ldap.search.filter.group:(objectClass=group)
- Alternate Value or Change Command: None
- Notes: Change this filter when resolving groups against a non-Active Directory
installation. See the description of
hadoop.security.group.mapping.ldap.search.filter.user
to enable
posixGroups
support.
- File or command:
core-default.xml & core-site.xml
- Description: This setting is the configuration controlling the validity of the
entries in the cache containing the
userId
to userName
and groupId
to groupName
mappings that are used by
NativeIO getFstat()
.
- Default Secure Setting:
hadoop.security.uid.cache.secs:14400
- Alternate Value or Change Command: None
- Notes:None
- File or command:
yarn-default.xml
- Description: Determines which of the two modes LCE should use on a nonsecure
cluster.
- Default Secure Setting:
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users:true
- Alternate Value or Change Command: false
- Notes:Set this value to
true
, to launch all containers as the
user specified in
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user
.
Set this value to false
to run containers as the user who submitted the
application.
- File or command:
yarn-default.xml
- Description: Disable insecure protocols
- Default Secure Setting:
hadoop.ssl.exclude.insecure.protocols:SSLv3,TLSv1,TLSV1.1
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Class for user to group mapping (get groups for a given user) for
ACL.
- Default Secure Setting:
hadoop.security.group.mapping:org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback
- Alternate Value or Change Command: None
- Notes: The default implementation
org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback
determines if the Java Native Interface (JNI) is available. If JNI is available, the
implementation uses the API within Hadoop to resolve a list of groups for a user. If JNI
is not available, then the shell implementation
ShellBasedUnixGroupsMapping
, is used. This implementation shells out
to the Linux/Unix environment with the bash -c groups
command to
resolve a list of groups for a user.
- File or command:
core-default.xml & core-site.xml
- Description: Class for the 'custom type of authentication' method
- Default Secure Setting:
hadoop.security.custom.rpc.auth.method.class:org.apache.hadoop.security.rpcauth.MaprAuthMethod
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xm
- Description: The attribute of the group object that identifies the group
name
- Default Secure Setting:
hadoop.security.group.mapping.ldap.search.attr.group.name:cn
- Alternate Value or Change Command: None
- Notes: The default setting is usually appropriate for all LDAP systems.
- File or command:
core-default.xml & core-site.xm
- Description: The Java secure random algorithm.
- Default Secure Setting:
hadoop.security.java.secure.random.algorithm:SHA1PRNG
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xm
- Description: Indicates whether service-level authorization is enabled
- Default Secure Setting:
hadoop.security.authorization:true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
core-default.xml & core-site.xm
- Description: Expiration time for entries in the the negative user-to-group
mapping caching, in seconds
- Default Secure Setting:
hadoop.security.groups.negative-cache.secs:30
- Alternate Value or Change Command: None
- Notes: This setting is useful when invalid users retry frequently. Set a low
value for this expiration, since a transient error in group lookup could temporarily
lock out a legitimate user. Set this parameter to zero or a negative value, to disable
negative user-to-group caching.
- File or command:
yarn-default.xml
- Description: Linux-container-executor setting
- Default Secure Setting:
yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user:nobody
- Alternate Value or Change Command: None
- Notes: The UNIX user that containers run as when Linux-container-executor is
used in Nonsecure mode (a use case for this is using cgroups) if the
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users
is set to true
.
- File or command:
core-default.xml & core-site.xml
- Description: Cipher suite for crypto codec.
- Default Secure Setting:
hadoop.security.crypto.cipher.suite:AES/CTR/NoPadding
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Denotes the buffer size used by
CryptoInputStream
and CryptoOutputStream
.
- Default Secure Setting:
hadoop.security.crypto.buffer.size:8192
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Path to the JAAS configuration file
- Default Secure Setting:
hadoop.security.java.security.login.config.jar.path:/mapr.login.conf
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Indicates if anonymous requests are allowed when using
simple
authentication.
- Default Secure Setting:
hadoop.http.authentication.simple.anonymous.allowed:true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
yarn-default.xml
- Description: Indicates if anonymous requests are allowed by the timeline server
when using
simple
authentication.
- Default Secure Setting:
yarn.timeline-service.http-authentication.simple.anonymous.allowed:true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Indicates how long (in seconds) an authentication token is valid
before it has to be renewed.
- Default Secure Setting:
hadoop.http.authentication.token.validity:36000
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: IPC client fallback.
- Default Secure Setting:
ipc.client.fallback-to-simple-auth-allowed:false
- Alternate Value or Change Command: true
- Notes: When a client is configured to attempt a secure connection, but attempts
to connect to an insecure server, that server may instruct the client to switch to SASL
SIMPLE (unsecure) authentication. This setting controls whether or not the client
accepts this instruction from the server. When false (the default), the client does not
allow the fallback to SIMPLE authentication, but aborts the connection.
- File or command:
yarn-default.xml
- Description: Initial duration of the data-fabric ticket
- Default Secure Setting:
yarn.mapr.ticket.expiration:604800000
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Protocols supported by SSL.
- Default Secure Setting:
hadoop.ssl.enabled.protocols:TLSv1.2
- Alternate Value or Change Command: true
- Notes: When a client is configured to attempt a secure connection, but attempts
to connect to an insecure server, that server may instruct the client to switch to SASL
SIMPLE (unsecure) authentication. This setting controls whether or not the client
accepts this instruction from the server. When false (the default), the client does not
allow the fallback to SIMPLE authentication, but aborts the connection.
- File or command:
core-default.xml & core-site.xml
- Description: List of excluded ciphers
- Default Secure Setting:
hadoop.ssl.exclude.cipher.suites:SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Indicates whether client certificates are required
- Default Secure Setting:
hadoop.ssl.require.client.cert:false
- Alternate Value or Change Command: true
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: The hostname verifier to provide for
HttpsURLConnections
- Default Secure Setting:
hadoop.ssl.hostname.verifier:DEFAULT
- Alternate Value or Change Command: Valid values are:
DEFAULT
,
STRICT
, STRICT_I6
,
DEFAULT_AND_LOCALHOST
, and ALLOW_ALL
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Resource file from which SSL client keystore information is
extracted
- Default Secure Setting:
hadoop.ssl.client.conf:ssl-client.xml
- Alternate Value or Change Command: None
- Notes: This file is looked up in the classpath, and is usually present in the
Hadoop
conf/
directory.
- File or command:
mapred-default.xml
- Description: Buffer size for reading spills from file when using SSL.
- Default Secure Setting:
mapreduce.shuffle.ssl.file.buffer.size:65536
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: The keystores factory to use for retrieving certificates.
- Default Secure Setting:
hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
- Alternate Value or Change Command: None
- Notes: None
- File or command:
core-default.xml & core-site.xml
- Description: Comma-separated list of crypto codec implementations for
AES/CTR/NoPadding.
- Default Secure Setting:
hadoop.security.crypto.codec.classes.aes.ctr.nopadding:
org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec
- Alternate Value or Change Command: None
- Notes: The first implementation is used, if available. Other implementations
are fallbacks.
- File or command:
core-default.xml & core-site.xml
- Description: Resource file from which SSL server keystore information is
extracted.
- Default Secure Setting:
hadoop.ssl.server.conf:ssl-server.xml
- Alternate Value or Change Command: None
- Notes: This file is looked up in the classpath, and is usually present in the
Hadoop
conf/
directory.
- File or command:
core-default.xml & core-site.xml
- Description: Configures the HTTP endpoint for Yarn daemons.
- Default Secure Setting:
yarn.http.policy:HTTP_ONLY
- Alternate Value or Change Command: The following values are supported:
- HTTP_ONLY: Service is provided only on HTTP
- HTTPS_ONLY: Service is provided only on HTTPS
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Indicates whether or not to use SSL when connecting to the LDAP
server.
- Default Secure Setting:
hadoop.security.group.mapping.ldap.ssl:false
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
core-default.xml & core-site.xml
- Description: Enables or disables SSL connections to S3.
- Default Secure Setting:
fs.s3a.connection.ssl.enabled:true
- Alternate Value or Change Command: false
- Notes: None.
- File or command:
mapred-default.xml
- Description: Indicates whether to use SSL for for the Shuffle HTTP
endpoints.
- Default Secure Setting:
mapreduce.shuffle.ssl.enabled:false
- Alternate Value or Change Command: true
- Notes: None.
Security Settings for Hive
- File or command:
hive-site.xml
- Description: Hive client authenticator manager class name
- Default Secure Setting:
hive.security.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
hive-site.xml
- Description: Enables or disables Hive client authorization
- Default Secure Setting:
hive.security.authorization.enabled:true
- Alternate Value or Change Command: false
- Notes: None.
- File or command:
hive-site.xml
- Description: The Hive client authorization manager class name
- Default Secure Setting:
hive.security.authorization.manager:org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory
- Alternate Value or Change Command: None
- Notes: None.
- File or command:
hive-site.xml
- Description: List of comma separated Java regexes
- Default Secure Setting:
hive.security.authorization.sqlstd.confwhitelist:hive\.exec\.pre\.hooks
- Alternate Value or Change Command: None
- Notes: You can modify configurations parameters that match these regexes when
you enable SQL standard authorization.
- File or command:
hive-site.xml
- Description: Authorization DDL task factory implementation
- Default Secure Setting:
hive.security.authorization.task.factory:org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Comma-separated list of non-SQL Hive commands that users are
authorized to execute
- Default Secure Setting:
hive.security.command.whitelist:set,reset,dfs,add,list,delete,reload,compile
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Authenticator manager class name to be used in the metastore for
authentication.
- Default Secure Setting:
hive.security.metastore.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: When set to true, the metastore authorizer authorizes read actions
on the database and table
- Default Secure Setting:
hive.security.metastore.authorization.auth.reads:true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
hive-site.xml
- Description: Names of authorization manager classes (comma-separated) to be
used in the metastore for authorization.
- Default Secure Setting:
hive.security.metastore.authorization.manager:org.apache.hadoop.hive.ql.security.
authorization.StorageBasedAuthorizationProvider
- Alternate Value or Change Command: None
- Notes: The user defined authorization class should implement interface
org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider
.
All authorization manager classes have to successfully authorize the metastore API call
for the command execution to be allowed.
- File or command:
hive-site.xml
- Description: If true, the HiveServer2 WebUI is secured with PAM
- Default Secure Setting:
hive.server2.webui.use.pam=true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
hive-site.xml
- Description: Class for PAM authentication
- Default Secure Setting:
hive.server2.webui.pam.authenticator:org.apache.hive.http.security.PamAuthenticator
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Determines whether the metastore performs authorization checks
against the underlying storage for operations such as drop-partition
- Default Secure Setting:
hive.metastore.authorization.storage.check.externaltable.drop:true
- Alternate Value or Change Command: false
- Notes: Disallow the drop-partition if the user in question does not have
permissions to delete the corresponding directory on the storage
- File or command:
hive-site.xml
- Description: Determines whether the metastore performs authorization checks
against the underlying storage for operations such as drop-partition
- Default Secure Setting:
hive.metastore.authorization.storage.checks:false
- Alternate Value or Change Command: true
- Notes: Disallow the drop-partition if the user in question does not have
permissions to delete the corresponding directory on the storage
- File or command:
hive-site.xml
- Description: Client authentication types.
- Default Secure Setting:
hive.server2.authentication:PAM
- Alternate Value or Change Command:
- NONE: no authentication check – plain SASL transport
- LDAP: LDAP/AD based authentication
- KERBEROS: Kerberos/GSSAPI authentication
- CUSTOM: Custom authentication provider (use with property
hive.server2.custom.authentication.class
)
- PAM: Pluggable authentication module (added in Hive 0.13.0 with HIVE-6466)
- NOSASL: Raw transport (added in Hive 0.13.0)
- Notes: None
- File or command:
hive-site.xml
- Description: Use this property in LDAP search queries for finding LDAP group
names to which a user belongs
- Default Secure Setting:
hive.server2.authentication.ldap.groupClassKey:groupOfNames
- Alternate Value or Change Command: None
- Notes: Use this property to construct a LDAP group search query, and to
indicate the
objectClass
of a group. Every LDAP group has a certain
objectClass
. For example: group
,
groupOfNames
, and groupOfUniqueNames
.
- File or command:
hive-site.xml
- Description: LDAP attribute name on the group object that contains the list of
distinguished names for the user, group, and contact objects that are members of the
group.
- Default Secure Setting:
hive.server2.authentication.ldap.groupMembershipKey:member
- Alternate Value or Change Command: None
- Notes: For example:
member
, uniqueMember
, or
memberUid
. Use this property in LDAP search queries when finding LDAP
group names to which a particular user belongs. The value of the LDAP attribute as
indicated by this property, should be a full DN for the user or the short username or
userid. For example, a group entry for fooGroup
containing
member : uid=fooUser,ou=Users,dc=domain,dc=com
helps determine that
fooUser
belongs to LDAP group fooGroup
.
See
Group Membership for a detailed example. You can use this property to find the users, if
a custom-configured LDAP query returns a group instead of a user (as of Hive 2.1.1). For
details, see Support for Groups in Custom LDAP Query.
- File or command:
hive-site.xml
- Description: This property indicates the prefix to use when building the
bindDN
for LDAP connection (when using only baseDN
).
- Default Secure Setting:
hive.server2.authentication.ldap.guidKey:uid
- Alternate Value or Change Command: None
- Notes:
bindDN
is
<guidKey>=<user/group>,<baseDN>
. If the configuration uses
userDNPattern
and/or groupDNPattern
, the
guidKey
is not required. The guidKey
is required
when only the baseDN
is being used.
- File or command:
hive-site.xml
- Description: When
true
, HiveServer2 in HTTP transport mode
uses a cookie-based authentication mechanism.
- Default Secure Setting:
hive.server2.thrift.http.cookie.auth.enabled:true
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Sasl QOP value; set it to one of the following values to enable
higher levels of protection for HiveServer2 communication with clients.
- Default Secure Setting:
hive.server2.thrift.sasl.qop:auth-conf
- Alternate Value or Change Command: One of:
- auth – authentication only (default)
- auth-int – authentication plus
- integrity protection auth-conf – authentication plus integrity and
confidentiality protection
- Notes: Note that setting
hadoop.rpc.protection
to a higher
level than HiveServer2 does not make sense in most situations. HiveServer2 ignores
hadoop.rpc.protection
in favor of
hive.server2.thrift.sasl.qop
. This setting is applicable only if
HiveServer2 is configured to use Kerberos authentication.
- File or command:
hive-site.xml
- Description: Applies test settings for HS2 (for example for standard base authorization
verification in
FallbackHiveAuthorizer
or in SQLAuthorizationUtils
).
- Default Secure Setting:
hive.test.authz.sstd.hs2.mode:false
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Setting this property to
true
enables HiveServer2
to execute Hive operations as the user making the calls.
- Default Secure Setting:
hive.server2.enable.doAs=true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
hive-site.xml
- Description: Indicates whether metastore should use SSL
- Default Secure Setting:
hive.metastore.use.SSL:false
- Alternate Value or Change Command: false
- Notes: None
- File or command:
hive-site.xml
- Description: SSL certificate keystore location.
- Default Secure Setting:
hive.server2.keystore.path:/opt/mapr/conf/ssl_keystore
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Set this to
true
to use SSL encryption in
HiveServer2.
- Default Secure Setting:
hive.server2.use.SSL:true
- Alternate Value or Change Command: false
- Notes: None
- File or command:
hive-site.xml
- Description: SSL certificate keystore location for HiveServer2 WebUI.
- Default Secure Setting:
hive.server2.webui.keystore.path:/opt/mapr/conf/ssl_keystore
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hive-site.xml
- Description: Set this to
true
to use SSL encryption for
HiveServer2 WebUI.
- Default Secure Setting:
hive.server2.webui.use.ssl:true
- Alternate Value or Change Command: true
- Notes: None
- File or command:
hive-site.xml
- Description: SSL protocols that need to be disabled
- Default Secure Setting:
hive.ssl.protocol.blacklist:SSLv2,SSLv3
- Alternate Value or Change Command: None
- Notes: None
Security Settings for HTTPFS
- File or command:
httpfs-site.xml
- Description: PAM authentication for
HttpFS
- Default Secure Setting:
httpfs.hadoop.authentication.type:multiauth
httpfs.authentication.type:multiauth
- Alternate Value or Change Command: None
- Notes: None
- File or command:
httpfs-site.xml
- Description: User impersonation for
HttpFS
- Default Secure Setting:
httpfs.proxyuser.mapr.hosts:*
httpfs.proxyuser.mapr.groups:*
- Alternate Value or Change Command: None
- Notes: None
Security Settings for Hue
- File or command:
hue.ini
- Description: Configure HTTPS for Hue UI
- Default Secure Setting:
[desktop]
ssl_certificate=${ssl_certificate}
ssl_private_key=${ssl_private_key}
ssl_password_script=${HUE_HOME}/bin/ssl_password_script.sh
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
The password for the SSL private key is
parsed from the /opt/mapr/conf/ssl-server.xml
file with the
${HUE_HOME}/bin/ssl_password_script.sh
script.
- File or command:
hue.ini
- Description: Path to PEM truststore, and option to enable/disable certificate
verification for SSL-encrypted connections to other services (RM, HS, NM, Spark HS,
Oozie, Livy, HBase, Hive, Impala)
- Default Secure Setting:
[desktop]
ssl_cacerts=${ssl_cacerts}
ssl_validate=${ssl_validate}
Alternate Value or Change Command: true
- Notes: Values are picked in the same way, as values for the previous parameter.
Also, the installer overrides this property with value
false
by
creating the following file:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/30installer
# Do not edit this file. It was generated automatically by MapR Installer.
# Disable certificate verification, as Installer allows to use node IPs instead of proper hostnames:
export ssl_cacerts=""
export ssl_validate="false"
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for YARN (RM, NM, HS, Spark
HS)
- Default Secure Setting:
[hadoop]
[[yarn_clusters]]
[[[default]]]
# ...
# Change this if your YARN cluster is secured
# security_enabled=${security_enabled}
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
# mechanism=${mechanism}
# In secure mode(HTTPS), if SSL certificates from Resource Manager's
# Rest Server have to be verified against certificate authority
# ssl_cert_ca_verify=false
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for
HttpFS
- Default Secure Setting:
[hadoop]
[[hdfs_clusters]]
[[[default]]]
...
# Change this if your HDFS cluster is secured
security_enabled=${security_enabled}
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
# Enable mutual SSL authentication
# mutual_ssl_auth=False
# Certificate for SSL connection
# ssl_cert=keys/cert.pem
# Private key for SSL connection
# ssl_key=keys/hue_private_keystore.pem
# In secure mode (HTTPS), if SSL certificates from YARN Rest APIs
# have to be verified against certificate authority
## ssl_cert_ca_verify=True
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for Oozie
- Default Secure Setting:
[liboozie] ...
# Requires FQDN in oozie_url if enabled
security_enabled=${security_enabled}
# Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for Livy
- Default Secure Setting:
[spark] ...
# Whether Livy requires client to perform Kerberos authentication.
security_enabled=${security_enabled}
# Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for Hive
- Default Secure Setting:
[beeswax] ...
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
# For secure cluster:
# Use SASL framework to establish connection to host.
use_sasl=true
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for HBase Thrift (Data Fabric DB)
- Default Secure Setting:
[hbase] ...
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: Configure Hue to use MapR-SASL for Drill
- Default Secure Setting:
[librdbms]
[[databases]]
# ...
[[[drill]]]
# ...
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
mechanism=${mechanism}
Alternate Value or Change Command: true
- Notes: Value is picked from the following files:
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/.isSecure
true
cat /opt/mapr/hue/hue-4.6.0/desktop/conf/env.d/20secure
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure"
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; thee
export mechanism=${mechanism:-"MAPR-SECURITY"}
export security_enabled=${security_enabled:-"true"}
export ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"}
export ssl_validate=${ssl_validate:-"true"}
export ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
export ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"}
fi
- File or command:
hue.ini
- Description: PAM/LDAP authentication between Hue and Hive
- Default Secure Setting:
[desktop]
# ...
# Default LDAP/PAM/.. username and password of the Hue user used for authentication with other services.
# Inactive if password is empty.
# e.g. LDAP pass-through authentication for HiveServer2 or Impala.
# Apps can override them individually.
auth_username=${MAPR_USER}
auth_password=<user_password>
...
[beeswax]
# ...
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=none
Alternate Value or Change Command: true
- Notes: None
- File or command:
hue.ini
- Description: PAM/LDAP authentication between Hue and Drill
- Default Secure Setting:
[librdbms]
[[databases]]
# ...
[[[drill]]]
# ...
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY.
mechanism=none
# Username to authenticate with when connecting to the database.
# Used with plain authentication (mechanism set to "none").
user=<username>
# Password matching the username to authenticate with when
# connecting to the database.
# Used with plain authentication (mechanism set to "none").
password=<password>
# Execute this script to produce the database password.
# This will be used when password is required and `password` is not set.
# password_script=
Alternate Value or Change Command: true
- Notes: None
- File or command:
hue.ini
- Description: User impersonation between Hue and YARN services (RM, NM, HS) +
Spark HS
- Default Secure Setting: Enabled by default
- Alternate Value or Change Command: false
- Notes: Hue always send requests to RM, NM, HS and SparkHS with the
doAs=<impersonation_target>
parameter
- File or command:
hue.ini
- Description: User impersonation between Hue and HttpFS
- Default Secure Setting: Enabled by default
- Alternate Value or Change Command: false
- Notes: Hue always send requests to HttpFS with the
doAs=<impersonation_target>
parameter
- File or command:
hue.ini
- Description: User impersonation between Hue and Oozie
- Default Secure Setting: Enabled by default
- Alternate Value or Change Command: false
- Notes: Hue always send requests to Oozie with the
doAs=<impersonation_target>
parameter
- File or command:
hue.ini
- Description: User impersonation between Hue and Livy
- Default Secure Setting: Enabled by default
- Alternate Value or Change Command: false
- Notes: Hue always send requests to Livy with the the
proxyUser=<impersonation_target>
option
- File or command:
hue.ini
- Description: User impersonation between Hue and Hive
- Default Secure Setting:
true
(enabled)
- Alternate Value or Change Command: false
- Notes: Hue automatically detects impersonation settings of Hive from
hive-site.xml
- File or command:
hue.ini
- Description: User impersonation between Hue and HBase Thrift (Data Fabric DB)
- Default Secure Setting:
false
(disabled)
- Alternate Value or Change Command: false
- Notes: Hue automatically detects impersonation settings of Hive from
hbase-site.xml
- File or command:
hue.ini
- Description: User impersonation between Hue and Drill
- Default Secure Setting:
[librdbms]
[[databases]]
# ...
[[[drill]]]
# ...
# Available options:
# "impersonation" to enable or disable outbound impersonation.
# "principal" of Drill service. Used when Kerberos authentication is enabled.
options='{"impersonation":true}
- Alternate Value or Change Command: true
- Notes: None
- File or command:
hue.ini
- Description: Authenticating Hue users with LDAP credentials
- Default Secure Setting: TDB
- Alternate Value or Change Command: None
- Notes: None
- File or command:
hue.ini
- Description: Determines which authentication method to use:
search and
bind
, or direct bind
- Default Secure Setting:
search_bind_authentication
- Alternate Value or Change Command: None
- Notes: When set to
true
, Hue performs an LDAP search using
bind_dn
and bind_password
as provided in
hue.ini
. The search can be further limited by the search filter
user_filter
. When set to false
, Hue performs a
direct bind to LDAP using the credentials provided from one of these sources:
- The UPN, formed by concatenating <shortname> (the user name provided on the Hue
login page) and nt_domain (if nt_domain is specified)
- The ldap_username_pattern (if nt_domain is not specified)
- File or command:
hue.ini
- Description: The NT domain to connect. This parameter is only used with Active
Directory.
- Default Secure Setting:
nt_domain
- Alternate Value or Change Command: None
- Notes: Used with the
direct bind
method of authentication. If
nt_domain
is specified, then ldap_username_pattern
is ignored.
- File or command:
hue.ini
- Description: Used to connect to directory services other than Active
Directory.
- Default Secure Setting:
ldap_username_pattern
- Alternate Value or Change Command: None
- Notes: Used with the
direct bind
method of authentication.
Usually takes the form cn=<username>,dc=example,dc=com
- File or command:
hue.ini
- Description: The backend to use for authenticating users.
- Default Secure Setting:
backend
- Alternate Value or Change Command: None
- Notes: Set it to
desktop.auth.backend.LdapBackend
for Hue
authentication.
- File or command:
hue.ini
- Description: Configure Hue with HiveServer2 High Availability
- Setting:
[beeswax]
#Whether to use service discovery for llap.
hive_discovery_llap = true
#Is llap (hive server interactive) running in HA.
hive_discovery_llap_ha = true
#Whether to use service discovery for HiveServer2.
hive_discovery_hs2 = true
[libzookeeper]
#ZooKeeper ensemble; comma-separated list of host/port.
ensemble=<host:port>:5181
- Notes: None
Security Settings for Drill
- File or command:
drill-override.conf
- Description: Determines if encryption on the server is enabled for negotiating
privacy with the Drill client.
- Default Secure Setting:
drill.exec.security.user.encryption.sasl.enabled=false
- Alternate Value or Change Command: true
- Notes: None.
- File or command:
drill-override.conf
- Description: Determines if the server is enabled for negotiating privacy with
another Drillbit.
- Default Secure Setting:
drill.exec.security.bit.encryption.ssl.enabled=true
- Alternate Value or Change Command: false
- Notes: None.
- File or command:
drill-override.conf
- Description: TLS/SSL versions allowed
- Default Secure Setting:
drill.exec.impersonation.ssl.protocol:
TLSv1.2
- Alternate Value or Change Command: Other versions are possible
- Notes: None.
- File or command:
drill-override.conf
- Description: Format of the keystore file
- Default Secure Setting:
javax.net.ssl.keyStoreType: JKS
- Alternate Value or Change Command: jks, jceks, pkcs12
- Notes: None.
- File or command:
drill-override.conf
- Description: Location of the Java keystore file
- Default Secure Setting:
drill.exec.ssl.keyStorePath
- Alternate Value or Change Command: ssl.server.keystore.location:
/opt/mapr/conf/ssl_keystore
- Notes: Using it from HPE Ezmeral Data Fabric Hadoop properties, leveraging it
from
drill-distrib.conf
property
drill.exec.ssl.useHadoopConfig: true
- File or command:
drill-override.conf
- Description: Password to access the private key from the keystore file.
- Default Secure Setting:
drill.exec.ssl.keyStorePassword
- Alternate Value or Change Command: ssl.server.keystore.password
- Notes: Using it from HPE Ezmeral Data Fabric Hadoop properties, leveraging it from
drill-distrib.conf
property drill.exec.ssl.useHadoopConfig:
true
- File or command:
drill-override.conf
- Description: Format of the truststore file
- Default Secure Setting:
drill.exec.ssl.trustStoreType:
JKS
- Alternate Value or Change Command: jks, jceks, pkcs12
- Notes: None
- File or command:
drill-override.conf
- Description: Location of the Java keystore file containing the collection of CA
certificates trusted by the Drill client.
- Default Secure Setting:
drill.exec.ssl.trustStorePath
- Alternate Value or Change Command: ssl.server.truststore.location:
/opt/mapr/conf/ssl_truststore
- Notes: None
- File or command:
drill-override.conf
- Description: Password to access the private key from the keystore file
specified as the truststore
- Default Secure Setting:
drill.exec.ssl.trustStorePassword
- Alternate Value or Change Command: ssl.server.truststore.password
- Notes: None
- File or command:
drill-distrib.conf
- Description: Changes the underlying implementation to the chosen value
- Default Secure Setting:
drill.exec.ssl.provider: JDK
- Alternate Value or Change Command: OpenSSL/JDK
- Notes: None
- File or command:
drill-distrib.conf
- Description: Use HPE Ezmeral Data Fabric SSL trust and key store
- Default Secure Setting:
drill.exec.ssl.useHadoopConfig
- Alternate Value or Change Command: true
- Notes: None
- File or command:
drill-distrib.conf
- Description: Drill Web UI HTTPS protocol for encryption
- Default Secure Setting:
drill.exec: { http.ssl_enabled: true,
ssl.useHadoopConfig: true }
- Alternate Value or Change Command: Default from Drill 1.13
- Notes: None
- File or command:
drill-distrib.conf
- Description: Zookeeper znode ACL for Drill cluster info and query info
- Default Secure Setting:
zk.apply_secure_acl: true
- Alternate Value or Change Command: false
- Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in
drill-distrib.conf
. drill.exec.zk.apply_secure_acl:
true
- File or command:
drill-distrib.conf
- Description: Drill user impersonation, needed for Data Fabric DB to work properly with CF access
- Default Secure Setting:
drill.exec.impersonation.enabled:
true
- Alternate Value or Change Command: false
- Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in
drill-distrib.conf
. drill.exec.impersonation.enabled:
true
, also see impersonation inbound policies for information on setting
which users can impersonate others.
- File or command:
drill-override.conf
- Description: Drill user impersonation, maximum number of hops - when one user
creates a view on data and shares with other, how many hops are allowed
- Default Secure Setting:
drill.exec.impersonation.max_chained_user_hops:
3
- Alternate Value or Change Command: Other numeric values
- Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in
drill-distrib.conf
.
- File or command:
drill-override.conf
- Description: Authentication mechanisms
- Default Secure Setting:
drill.exec.security.auth.mechanisms:
["MAPRSASL", "PLAIN"]
- Alternate Value or Change Command: KERBEROS
- Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in
drill-distrib.conf
.
- File or command:
drill-override.conf
- Description: End user encryption mechanism
- Default Secure Setting:
drill.exec.security.user.encryption.sasl.enabled: true
- Alternate Value or Change Command: Can set
drill.exec.security.user.encryption.ssl.enabled: true
- Notes: Set by default on HPE Ezmeral Data Fabric Secure cluster with installer in
drill-distrib.conf
.To use SSL, set
drill.exec.security.user.encryption.ssl.enabled: true
.
To use
PLAIN (user/pass) authentication, SASL encryption cannot be set to
true
. You have to set SSL encryption to use PLAIN authentication. You
can also use HPE Ezmeral Data Fabric
tickets (SASL) with SSL encryption, but only with SSL encryption for both.
Security Settings for Spark
- File or command:
spark-defaults.conf
- Description: SSL option for file download client (used to download jars and
files from HTTPS-enabled servers).
- Default Secure Setting:
spark.ssl.fs.enabled true
- Alternate Value or Change Command: https://spark.apache.org/docs/2.3.1/security.html
- Notes: None
- File or command:
spark-defaults.conf
- Description: The password to the private key in the key store.
- Default Secure Setting:
spark.ssl.keyPassword
<ssl-keystore-password>
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: Path to the key store file. The path can be absolute or relative
to the directory in which the process is started.
- Default Secure Setting:
· spark.ssl.keyStore
/opt/mapr/conf/ssl_keystore
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: Password to the key store.
- Default Secure Setting:
· spark.ssl.keyStorePassword
<ssl-keystore-password>
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: Path to the trust store file. The path can be absolute or relative
to the directory in which the process is started.
- Default Secure Setting:
· spark.ssl.trustStore
/opt/mapr/conf/ssl_truststore
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: Password for the trust store.
- Default Secure Setting:
· spark.ssl.trustStorePassword
<ssl-truststore-password>
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: The TLS protocol to use. The protocol must be supported by the
JVM.
- Default Secure Setting:
· spark.ssl.protocol TLSv1.2
- Alternate Value or Change Command: None
- Notes: None
- File or command:
spark-defaults.conf
- Description: Configure encryption for the Spark HTTP file and broadcast
servers
- Default Secure Setting:
spark.ssl.enabledAlgorithms
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- Alternate Value or Change Command: None
- Notes: None
Security Settings for Livy
- File or command:
livy.conf
- Description: MapR-SASL authentication
- Default Secure Setting:
livy.server.auth.type = multiauth
- Alternate Value or Change Command: true
- Notes: None
- File or command:
livy.conf
- Description: User impersonation with Livy
- Default Secure Setting:
livy.impersonation.enabled =
true
livy.superusers = <MAPR_USER>
- Alternate Value or Change Command: true
- Notes: None
- File or command:
livy.conf
- Description: HTTPS
- Default Secure Setting:
livy.keystore
livy.keystore.password
livy.key-password
- Alternate Value or Change Command: true
- Notes: Values automatically filled on runtime using
com.mapr.web.security.WebSecurityManager
Security Settings for Tez
- File or command:
/opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/server.xml
- Description: SSL Config for Tez
- Default Secure Setting:
<Connector port="9444"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true" keyAlias="edl-dev-r01-tezui"
keystoreFile="/opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/bdx1xxx0125.xxxxx.com.jks"
keystorePass="xxxxxxxxxx" keystoreType="JKS" clientAuth="false" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009"
protocol="AJP/1.3" redirectPort="9444" />
- Alternate Value or Change Command: None
- Notes: Tez UI redirectPort value changed to 9444 (default value 8443 conflicts
with the Control System)
- File or command:
/opt/mapr/elasticsearch/elasticsearch-5.4.1/usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml
- Description: Kibana and ElasticSearch login account and password file
- Default Secure Setting:
admin:hash:
<$2a$12$6ASxMQEBKYPyGUc10RyleOhz3c8RrvPGb7oqLC9xGGwPxJFwOLJtq>
- Alternate Value or Change Command: https://docs.datafabric.hpe.com/home/AdministratorGuide/Changing_Password_for_ES_Kibana.html
- Notes: None
- File or command:
/opt/mapr/conf/ssl_truststore*
and
/opt/mapr/conf/ssl_keystore*
- Description: SSL Keys
- Default Secure Setting:
Created at install, should rarely change, used
by all web and REST HTTPS interfaces.
- Alternate Value or Change Command: Add site specific certificates with keytool utiliity
- Notes: None
Security Settings for Grafana
- File or command: /opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini
- Description: Certificate File
- Default Secure Setting:
/opt/mapr/grafana/grafana-4.6.1/etc/grafana/cert.pem
- Alternate Value or Change Command: None
- Notes: None
- File or command: /opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini
- Description: Certificate Key
- Default Secure Setting:
/opt/mapr/grafana/grafana-4.6.1/etc/grafana/key.pem
- Alternate Value or Change Command: None
- Notes: None