Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Hadoop in SecureMode Apache

    Загружено:

    vssvss
    49 просмотров8 страниц
    This document describes how to configure Hadoop to run in secure mode using Kerberos authentication. Key aspects include: 1) Configuring Kerberos principals and keytab files for the NameNode, DataNodes, ResourceManager, NodeManagers and other Hadoop daemons. 2) Setting up user to group mappings and proxy users to allow services to impersonate users. 3) Configuring authentication to local username mappings and permissions for HDFS and local filesystem paths. 4) Enabling security features like data encryption and confidentiality for RPC and data transfers in Hadoop.

    Исходное описание:

    Hadoop, Security

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    This document describes how to configure Hadoop to run in secure mode using Kerberos authentication. Key aspects include: 1) Configuring Kerberos principals and keytab files for the NameNode, DataNodes, ResourceManager, NodeManagers and other Hadoop daemons. 2) Setting up user to group mappings and proxy users to allow services to impersonate users. 3) Configuring authentication to local username mappings and permissions for HDFS and local filesystem paths. 4) Enabling security features like data encryption and confidentiality for RPC and data transfers in Hadoop.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    49 просмотров8 страниц

    Hadoop in SecureMode Apache

    Загружено:

    vssvss
    This document describes how to configure Hadoop to run in secure mode using Kerberos authentication. Key aspects include: 1) Configuring Kerberos principals and keytab files for the NameNode, DataNodes, ResourceManager, NodeManagers and other Hadoop daemons. 2) Setting up user to group mappings and proxy users to allow services to impersonate users. 3) Configuring authentication to local username mappings and permissions for HDFS and local filesystem paths. 4) Enabling security features like data encryption and confidentiality for RPC and data transfers in Hadoop.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    HadoopinSecureMode
    Introduction
    Authentication
    EndUserAccounts
    UserAccountsforHadoopDaemons
    KerberosprincipalsforHadoopDaemonsandUsers
    MappingfromKerberosprincipaltoOSuseraccount
    Mappingfromusertogroup
    Proxyuser
    SecureDataNode
    Dataconfidentiality
    DataEncryptiononRPC
    DataEncryptiononBlockdatatransfer.
    DataEncryptiononHTTP
    Configuration
    PermissionsforbothHDFSandlocalfileSystempaths
    CommonConfigurations
    NameNode
    SecondaryNameNode
    DataNode
    WebHDFS
    ResourceManager
    NodeManager
    ConfigurationforWebAppProxy
    LinuxContainerExecutor
    MapReduceJobHistoryServer

    HadoopinSecureMode
    Introduction
    ThisdocumentdescribeshowtoconfigureauthenticationforHadoopinsecuremode.
    BydefaultHadooprunsinnonsecuremodeinwhichnoactualauthenticationisrequired.ByconfiguringHadoop
    runsinsecuremode,eachuserandserviceneedstobeauthenticatedbyKerberosinordertouseHadoopservices.
    SecurityfeaturesofHadoopconsistofauthentication,servicelevelauthorization,authenticationforWebconsoles
    anddataconfidenciality.

    Authentication

    EndUserAccounts
    Whenservicelevelauthenticationisturnedon,endusersusingHadoopinsecuremodeneedstobeauthenticated
    byKerberos.ThesimplestwaytodoauthenticationisusingkinitcommandofKerberos.

    UserAccountsforHadoopDaemons
    EnsurethatHDFSandYARNdaemonsrunasdifferentUnixusers,e.g.hdfsandyarn.Also,ensurethatthe
    MapReduceJobHistoryserverrunsasdifferentusersuchasmapred.
    It'srecommendedtohavethemshareaUnixgroup,fore.g.hadoop.Seealso"Mappingfromusertogroup"for
    groupmanagement.
    User:Group

    Daemons

    hdfs:hadoop

    NameNode,SecondaryNameNode,JournalNode,DataNode

    yarn:hadoop

    ResourceManager,NodeManager

    mapred:hadoop

    MapReduceJobHistoryServer

    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    1/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    KerberosprincipalsforHadoopDaemonsandUsers
    ForrunninghadoopservicedaemonsinHadoopinsecuremode,Kerberosprincipalsarerequired.Eachservice
    readsauhenticateinformationsavedinkeytabfilewithappropriatepermission.
    HTTPwebconsolesshouldbeservedbyprincipaldifferentfromRPC'sone.
    SubsectionsbelowshowstheexamplesofcredentialsforHadoopservices.

    HDFS

    TheNameNodekeytabfile,ontheNameNodehost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/nn.service.keytab
    Keytabname:FILE:/etc/security/keytab/nn.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    TheSecondaryNameNodekeytabfile,onthathost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/sn.service.keytab
    Keytabname:FILE:/etc/security/keytab/sn.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    TheDataNodekeytabfile,oneachhost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/dn.service.keytab
    Keytabname:FILE:/etc/security/keytab/dn.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)

    YARN

    TheResourceManagerkeytabfile,ontheResourceManagerhost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/rm.service.keytab
    Keytabname:FILE:/etc/security/keytab/rm.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    TheNodeManagerkeytabfile,oneachhost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/nm.service.keytab
    Keytabname:FILE:/etc/security/keytab/nm.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    2/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)

    MapReduceJobHistoryServer

    TheMapReduceJobHistoryServerkeytabfile,onthathost,shouldlooklikethefollowing:

    $klist-e-k-t/etc/security/keytab/jhs.service.keytab
    Keytabname:FILE:/etc/security/keytab/jhs.service.keytab
    KVNOTimestampPrincipal
    407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
    407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)

    MappingfromKerberosprincipaltoOSuseraccount
    HadoopmapsKerberosprincipaltoOSuseraccountusingtherulespecifiedbyhadoop.security.auth_to_localwhich
    worksinthesamewayastheauth_to_localinKerberosconfigurationfile(krb5.conf)
    .Inaddition,Hadoop
    auth_to_localmappingsupportsthe/Lflagthatlowercasesthereturnedname.
    Bydefault,itpicksthefirstcomponentofprincipalnameasausernameiftherealmsmatchestothe
    default_realm(usuallydefinedin/etc/krb5.conf).Forexample,host/full.qualified.domain.name@REALM.TLDis
    mappedtohostbydefaultrule.

    Mappingfromusertogroup
    ThoughfilesonHDFSareassociatedtoownerandgroup,Hadoopdoesnothavethedefinitionofgroupbyitself.
    MappingfromusertogroupisdonebyOSorLDAP.
    Youcanchangeawayofmappingbyspecifyingthenameofmappingproviderasavalueof
    hadoop.security.group.mappingSeeHDFSPermissionsGuidefordetails.
    PracticallyyouneedtomanageSSOenvironmentusingKerberoswithLDAPforHadoopinsecuremode.

    Proxyuser
    SomeproductssuchasApacheOoziewhichaccesstheservicesofHadooponbehalfofendusersneedtobeable
    toimpersonateendusers.Youcanconfigureproxyuserusingpropertieshadoop.proxyuser.$superuser.hostsalong
    witheitherorbothofhadoop.proxyuser.$superuser.groupsandhadoop.proxyuser.$superuser.users.
    Forexample,byspecifyingasbelowincoresite.xml,usernamedoozieaccessingfromanyhostcanimpersonate
    anyuserbelongingtoanygroup.

    <property>
    <name>hadoop.proxyuser.oozie.hosts</name>
    <value>*</value>
    </property>
    <property>
    <name>hadoop.proxyuser.oozie.groups</name>
    <value>*</value>
    </property>
    Usernamedoozieaccessingfromanyhostcanimpersonateuser1anduser2byspecifyingasbelowincore
    site.xml.

    <property>
    <name>hadoop.proxyuser.oozie.hosts</name>
    <value>*</value>
    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    3/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    </property>
    <property>
    <name>hadoop.proxyuser.oozie.users</name>
    <value>user1,user2</value>
    </property>
    Thehadoop.proxyuser.$superuser.hostsacceptslistofipaddresses,ipaddressrangesinCIDRformatand/orhost
    names.
    Forexample,byspecifyingasbelowincoresite.xml,usernamedoozieaccessingfromhostsintherange
    10.222.0.015and10.113.221.221canimpersonateanyuserbelongingtoanygroup.
    propertynamehadoop.proxyuser.oozie.hosts/namevalue10.222.0.0/16,10.113.221.221/value/property
    propertynamehadoop.proxyuser.oozie.groups/namevalue*/value/property

    SecureDataNode
    BecausethedatatransferprotocolofDataNodedoesnotusetheRPCframeworkofHadoop,DataNodemust
    authenticateitselfbyusingprivilegedportswhicharespecifiedbydfs.datanode.addressand
    dfs.datanode.http.address.Thisauthenticationisbasedontheassumptionthattheattackerwon'tbeabletoget
    rootprivileges.
    Whenyouexecutehdfsdatanodecommandasroot,serverprocessbindsprivilegedportatfirst,thendrops
    privilegeandrunsastheuseraccountspecifiedbyHADOOP_SECURE_DN_USER.Thisstartupprocessusesjsvc
    installedtoJSVC_HOME.YoumustspecifyHADOOP_SECURE_DN_USERandJSVC_HOMEasenvironmentvariables
    onstartup(inhadoopenv.sh).

    Dataconfidentiality

    DataEncryptiononRPC
    Thedatatransferedbetweenhadoopservicesandclients.Settinghadoop.rpc.protectionto"privacy"inthecore
    site.xmlactivatedataencryption.

    DataEncryptiononBlockdatatransfer.
    Youneedtosetdfs.encrypt.data.transferto"true"inthehdfssite.xmlinordertoactivatedataencryptionfordata
    transferprotocolofDataNode.

    DataEncryptiononHTTP
    DatatransferbetweenWebconsoleandclientsareprotectedbyusingSSL(HTTPS).

    Configuration

    PermissionsforbothHDFSandlocalfileSystempaths
    ThefollowingtablelistsvariouspathsonHDFSandlocalfilesystems(onallnodes)andrecommended
    permissions:
    Filesystem

    Path

    User:Group

    Permissions

    local

    dfs.namenode.name.dir

    hdfs:hadoop

    drwx

    local

    dfs.datanode.data.dir

    hdfs:hadoop

    drwx

    local

    $HADOOP_LOG_DIR

    hdfs:hadoop

    drwxrwxrx

    local

    $YARN_LOG_DIR

    yarn:hadoop

    drwxrwxrx

    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    4/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    local

    yarn.nodemanager.local-dirs

    yarn:hadoop

    drwxrxrx

    local

    yarn.nodemanager.log-dirs

    yarn:hadoop

    drwxrxrx

    local

    containerexecutor

    root:hadoop

    Srs

    local

    conf/container-executor.cfg

    root:hadoop

    hdfs

    hdfs:hadoop

    drwxrxrx

    hdfs

    /tmp

    hdfs:hadoop

    drwxrwxrwxt

    hdfs

    /user

    hdfs:hadoop

    drwxrxrx

    hdfs

    yarn.nodemanager.remote-app-log-dir

    yarn:hadoop

    drwxrwxrwxt

    hdfs

    mapreduce.jobhistory.intermediate-done-dir

    mapred:hadoop

    drwxrwxrwxt

    hdfs

    mapreduce.jobhistory.done-dir

    mapred:hadoop

    drwxrx

    CommonConfigurations
    InordertoturnonRPCauthenticationinhadoop,setthevalueofhadoop.security.authenticationpropertyto
    "kerberos",andsetsecurityrelatedsettingslistedbelowappropriately.
    Thefollowingpropertiesshouldbeinthecore-site.xmlofallthenodesinthecluster.
    Configurationforconf/core-site.xml
    Parameter

    Value

    Notes

    hadoop.security.authentication

    kerberos

    simple:Noauthentication.(default)
    kerberos:EnableauthenticationbyKerberos.

    hadoop.security.authorization

    true

    EnableRPCservicelevelauthorization.

    hadoop.rpc.protection

    authentication

    authentication:authenticationonly(default)
    integrity:integritycheckinadditiontoauthentication
    privacy:dataencryptioninadditiontointegrity

    hadoop.security.auth_to_local

    RULE:exp1
    RULE:exp2
    ...
    DEFAULT

    Thevalueisstringcontainingnewlinecharacters.SeeKerberos
    documentation
    forformatforexp.

    hadoop.proxyuser.superuser.hosts

    commaseparatedhostsfromwhichsuperuseraccessareallowdto
    impersonation.*meanswildcard.

    hadoop.proxyuser.superuser.groups

    commaseparatedgroupstowhichusersimpersonatedbysuperuser
    belongs.*meanswildcard.

    NameNode
    Configurationforconf/hdfs-site.xml
    Parameter

    Value

    Notes

    dfs.block.access.token.enable

    true

    EnableHDFSblockaccesstokensfor
    secureoperations.

    dfs.https.enable

    true

    Thisvalueisdeprecated.Use
    dfs.http.policy

    dfs.http.policy

    HTTP_ONLYorHTTPS_ONLYor
    HTTP_AND_HTTPS

    HTTPS_ONLYturnsoffhttpaccess.This
    optiontakesprecedenceoverthe
    deprecatedconfigurationdfs.https.enable
    andhadoop.ssl.enabled.

    dfs.namenode.https-address

    nn_host_fqdn:50470

    dfs.https.port

    50470

    dfs.namenode.keytab.file

    /etc/security/keytab/nn.service.keytab

    KerberoskeytabfilefortheNameNode.

    dfs.namenode.kerberos.principal

    nn/_HOST@REALM.TLD

    Kerberosprincipalnameforthe
    NameNode.

    dfs.namenode.kerberos.https.principal

    host/_HOST@REALM.TLD

    HTTPSKerberosprincipalnameforthe
    NameNode.

    SecondaryNameNode
    Configurationforconf/hdfs-site.xml
    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    5/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    Parameter

    Value

    dfs.namenode.secondary.http-address

    Notes

    c_nn_host_fqdn:50090

    dfs.namenode.secondary.https-port

    50470

    dfs.namenode.secondary.keytab.file

    /etc/security/keytab/sn.service.keytab

    Kerberoskeytabfileforthe
    NameNode.

    dfs.namenode.secondary.kerberos.principal

    sn/_HOST@REALM.TLD

    Kerberosprincipalnameforthe
    SecondaryNameNode.

    dfs.namenode.secondary.kerberos.https.principal

    host/_HOST@REALM.TLD

    HTTPSKerberosprincipalname
    fortheSecondaryNameNode.

    DataNode
    Configurationforconf/hdfs-site.xml
    Parameter

    Value

    Notes

    dfs.datanode.data.dir.perm

    700

    dfs.datanode.address

    0.0.0.0:1004

    SecureDataNodemustuseprivilegedportin
    ordertoassurethattheserverwasstarted
    securely.Thismeansthattheservermust
    bestartedviajsvc.

    dfs.datanode.http.address

    0.0.0.0:1006

    SecureDataNodemustuseprivilegedportin
    ordertoassurethattheserverwasstarted
    securely.Thismeansthattheservermust
    bestartedviajsvc.

    dfs.datanode.https.address

    0.0.0.0:50470

    dfs.datanode.keytab.file

    /etc/security/keytab/dn.service.keytab

    KerberoskeytabfilefortheDataNode.

    dfs.datanode.kerberos.principal

    dn/_HOST@REALM.TLD

    KerberosprincipalnamefortheDataNode.

    dfs.datanode.kerberos.https.principal

    host/_HOST@REALM.TLD

    HTTPSKerberosprincipalnameforthe
    DataNode.

    dfs.encrypt.data.transfer

    false

    settotruewhenusingdataencryption

    WebHDFS
    Configurationforconf/hdfs-site.xml
    Parameter

    Value

    Notes

    dfs.webhdfs.enabled

    http/_HOST@REALM.TLD

    EnablesecurityonWebHDFS.

    dfs.web.authentication.kerberos.principal

    http/_HOST@REALM.TLD

    KerberoskeytabfilefortheWebHDFS.

    dfs.web.authentication.kerberos.keytab

    /etc/security/keytab/http.service.keytab

    KerberosprincipalnameforWebHDFS.

    ResourceManager
    Configurationforconf/yarn-site.xml
    Parameter

    Value

    Notes

    yarn.resourcemanager.keytab

    /etc/security/keytab/rm.service.keytab

    KerberoskeytabfilefortheResourceManager.

    yarn.resourcemanager.principal

    rm/_HOST@REALM.TLD

    Kerberosprincipalnameforthe
    ResourceManager.

    NodeManager
    Configurationforconf/yarn-site.xml
    Parameter

    Value

    Notes

    yarn.nodemanager.keytab

    /etc/security/keytab/nm.service.keytab

    Kerberoskeytabfilefor
    theNodeManager.

    yarn.nodemanager.principal

    nm/_HOST@REALM.TLD

    Kerberosprincipalname
    fortheNodeManager.

    yarn.nodemanager.containerexecutor.class

    org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor

    Use
    LinuxContainerExecutor.

    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    6/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    yarn.nodemanager.linuxcontainer-executor.group

    hadoop

    Unixgroupofthe
    NodeManager.

    yarn.nodemanager.linuxcontainer-executor.path

    /path/to/bin/containerexecutor

    Thepathtothe
    executableofLinux
    containerexecutor.

    ConfigurationforWebAppProxy
    TheWebAppProxyprovidesaproxybetweenthewebapplicationsexportedbyanapplicationandanenduser.If
    securityisenableditwillwarnusersbeforeaccessingapotentiallyunsafewebapplication.Authenticationand
    authorizationusingtheproxyishandledjustlikeanyotherprivilegedwebapplication.
    Configurationforconf/yarn-site.xml
    Parameter

    Value

    Notes

    yarn.webproxy.address

    WebAppProxyhost:port
    forproxytoAMweb
    apps.

    host:portifthisisthesameasyarn.resourcemanager.webapp.addressoritisnot
    definedthentheResourceManagerwillruntheproxyotherwiseastandalone
    proxyserverwillneedtobelaunched.

    yarn.webproxy.keytab

    /etc/security/keytab/web
    app.service.keytab

    KerberoskeytabfilefortheWebAppProxy.

    yarn.webproxy.principal

    wap/_HOST@REALM.TLD

    KerberosprincipalnamefortheWebAppProxy.

    LinuxContainerExecutor
    AContainerExecutorusedbyYARNframeworkwhichdefinehowanycontainerlaunchedandcontrolled.
    ThefollowingaretheavailableinHadoopYARN:
    ContainerExecutor

    Description

    DefaultContainerExecutor

    ThedefaultexecutorwhichYARNusestomanagecontainerexecution.Thecontainerprocess
    hasthesameUnixuserastheNodeManager.

    LinuxContainerExecutor

    SupportedonlyonGNU/Linux,thisexecutorrunsthecontainersaseithertheYARNuserwho
    submittedtheapplication(whenfullsecurityisenabled)orasadedicateduser(defaultsto
    nobody)whenfullsecurityisnotenabled.Whenfullsecurityisenabled,thisexecutorrequires
    alluseraccountstobecreatedontheclusternodeswherethecontainersarelaunched.Ituses
    asetuidexecutablethatisincludedintheHadoopdistribution.TheNodeManagerusesthis
    executabletolaunchandkillcontainers.Thesetuidexecutableswitchestotheuserwhohas
    submittedtheapplicationandlaunchesorkillsthecontainers.Formaximumsecurity,this
    executorsetsuprestrictedpermissionsanduser/groupownershipoflocalfilesanddirectories
    usedbythecontainerssuchasthesharedobjects,jars,intermediatefiles,logfilesetc.
    Particularlynotethat,becauseofthis,excepttheapplicationownerandNodeManager,noother
    usercanaccessanyofthelocalfiles/directoriesincludingthoselocalizedaspartofthe
    distributedcache.

    TobuildtheLinuxContainerExecutorexecutablerun:

    $mvnpackage-Dcontainer-executor.conf.dir=/etc/hadoop/
    Thepathpassedin-Dcontainer-executor.conf.dirshouldbethepathontheclusternodeswhereaconfigurationfile
    forthesetuidexecutableshouldbelocated.Theexecutableshouldbeinstalledin$HADOOP_YARN_HOME/bin.
    Theexecutablemusthavespecificpermissions:6050orSrspermissionsuserownedbyroot(superuser)
    andgroupownedbyaspecialgroup(e.g.hadoop)ofwhichtheNodeManagerUnixuseristhegroupmemberand
    noordinaryapplicationuseris.Ifanyapplicationuserbelongstothisspecialgroup,securitywillbecompromised.
    Thisspecialgroupnameshouldbespecifiedfortheconfigurationpropertyyarn.nodemanager.linux-containerexecutor.groupinbothconf/yarn-site.xmlandconf/container-executor.cfg.
    Forexample,let'ssaythattheNodeManagerisrunasuseryarnwhoispartofthegroupsusersandhadoop,any
    ofthembeingtheprimarygroup.Letalsobethatusershasbothyarnandanotheruser(applicationsubmitter)
    aliceasitsmembers,andalicedoesnotbelongtohadoop.Goingbytheabovedescription,thesetuid/setgid
    executableshouldbeset6050orSrswithuserownerasyarnandgroupownerashadoopwhichhasyarn
    asitsmember(andnotuserswhichhasalicealsoasitsmemberbesidesyarn).
    TheLinuxTaskControllerrequiresthatpathsincludingandleadinguptothedirectoriesspecifiedin
    yarn.nodemanager.local-dirsandyarn.nodemanager.log-dirstobeset755permissionsasdescribedaboveinthetable
    onpermissionsondirectories.

    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    7/8

    11/3/2014

    Apache Hadoop 2.5.0 - Hadoop in Secure Mode

    conf/container-executor.cfg
    Theexecutablerequiresaconfigurationfilecalledcontainer-executor.cfgtobepresentintheconfigurationdirectory
    passedtothemvntargetmentionedabove.
    TheconfigurationfilemustbeownedbytheuserrunningNodeManager(useryarnintheaboveexample),group
    ownedbyanyoneandshouldhavethepermissions0400orr.
    Theexecutablerequiresfollowingconfigurationitemstobepresentintheconf/container-executor.cfgfile.The
    itemsshouldbementionedassimplekey=valuepairs,oneperline:
    Configurationforconf/yarn-site.xml
    Parameter

    Value

    Notes

    yarn.nodemanager.linuxcontainerexecutor.group

    hadoop

    UnixgroupoftheNodeManager.Thegroupownerofthecontainer
    executorbinaryshouldbethisgroup.Shouldbesameasthevaluewith
    whichtheNodeManagerisconfigured.Thisconfigurationisrequiredfor
    validatingthesecureaccessofthecontainerexecutorbinary.

    banned.users

    hfds,yarn,mapred,bin

    Bannedusers.

    allowed.system.users

    foo,bar

    Allowedsystemusers.

    min.user.id

    1000

    Preventothersuperusers.

    Torecap,herearethelocalfilesysytempermissionsrequiredforthevariouspathsrelatedtothe
    LinuxContainerExecutor:
    Filesystem

    Path

    User:Group

    Permissions

    local

    containerexecutor

    root:hadoop

    Srs

    local

    conf/container-executor.cfg

    root:hadoop

    local

    yarn.nodemanager.local-dirs

    yarn:hadoop

    drwxrxrx

    local

    yarn.nodemanager.log-dirs

    yarn:hadoop

    drwxrxrx

    MapReduceJobHistoryServer
    Configurationforconf/mapred-site.xml
    Parameter

    Value

    Notes

    mapreduce.jobhistory.address

    MapReduceJobHistoryServer
    host:port

    Defaultportis10020.

    mapreduce.jobhistory.keytab

    /etc/security/keytab/jhs.service.keytab

    KerberoskeytabfilefortheMapReduce
    JobHistoryServer.

    mapreduce.jobhistory.principal

    jhs/_HOST@REALM.TLD

    KerberosprincipalnamefortheMapReduce
    JobHistoryServer.

    http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html

    8/8

    Вам также может понравиться