Академический Документы
Профессиональный Документы
Культура Документы
HadoopinSecureMode
Introduction
Authentication
EndUserAccounts
UserAccountsforHadoopDaemons
KerberosprincipalsforHadoopDaemonsandUsers
MappingfromKerberosprincipaltoOSuseraccount
Mappingfromusertogroup
Proxyuser
SecureDataNode
Dataconfidentiality
DataEncryptiononRPC
DataEncryptiononBlockdatatransfer.
DataEncryptiononHTTP
Configuration
PermissionsforbothHDFSandlocalfileSystempaths
CommonConfigurations
NameNode
SecondaryNameNode
DataNode
WebHDFS
ResourceManager
NodeManager
ConfigurationforWebAppProxy
LinuxContainerExecutor
MapReduceJobHistoryServer
HadoopinSecureMode
Introduction
ThisdocumentdescribeshowtoconfigureauthenticationforHadoopinsecuremode.
BydefaultHadooprunsinnonsecuremodeinwhichnoactualauthenticationisrequired.ByconfiguringHadoop
runsinsecuremode,eachuserandserviceneedstobeauthenticatedbyKerberosinordertouseHadoopservices.
SecurityfeaturesofHadoopconsistofauthentication,servicelevelauthorization,authenticationforWebconsoles
anddataconfidenciality.
Authentication
EndUserAccounts
Whenservicelevelauthenticationisturnedon,endusersusingHadoopinsecuremodeneedstobeauthenticated
byKerberos.ThesimplestwaytodoauthenticationisusingkinitcommandofKerberos.
UserAccountsforHadoopDaemons
EnsurethatHDFSandYARNdaemonsrunasdifferentUnixusers,e.g.hdfsandyarn.Also,ensurethatthe
MapReduceJobHistoryserverrunsasdifferentusersuchasmapred.
It'srecommendedtohavethemshareaUnixgroup,fore.g.hadoop.Seealso"Mappingfromusertogroup"for
groupmanagement.
User:Group
Daemons
hdfs:hadoop
NameNode,SecondaryNameNode,JournalNode,DataNode
yarn:hadoop
ResourceManager,NodeManager
mapred:hadoop
MapReduceJobHistoryServer
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
1/8
11/3/2014
KerberosprincipalsforHadoopDaemonsandUsers
ForrunninghadoopservicedaemonsinHadoopinsecuremode,Kerberosprincipalsarerequired.Eachservice
readsauhenticateinformationsavedinkeytabfilewithappropriatepermission.
HTTPwebconsolesshouldbeservedbyprincipaldifferentfromRPC'sone.
SubsectionsbelowshowstheexamplesofcredentialsforHadoopservices.
HDFS
TheNameNodekeytabfile,ontheNameNodehost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/nn.service.keytab
Keytabname:FILE:/etc/security/keytab/nn.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09nn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
TheSecondaryNameNodekeytabfile,onthathost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/sn.service.keytab
Keytabname:FILE:/etc/security/keytab/sn.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09sn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
TheDataNodekeytabfile,oneachhost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/dn.service.keytab
Keytabname:FILE:/etc/security/keytab/dn.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09dn/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
YARN
TheResourceManagerkeytabfile,ontheResourceManagerhost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/rm.service.keytab
Keytabname:FILE:/etc/security/keytab/rm.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09rm/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
TheNodeManagerkeytabfile,oneachhost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/nm.service.keytab
Keytabname:FILE:/etc/security/keytab/nm.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
2/8
11/3/2014
407/18/1121:08:09nm/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
MapReduceJobHistoryServer
TheMapReduceJobHistoryServerkeytabfile,onthathost,shouldlooklikethefollowing:
$klist-e-k-t/etc/security/keytab/jhs.service.keytab
Keytabname:FILE:/etc/security/keytab/jhs.service.keytab
KVNOTimestampPrincipal
407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09jhs/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-256CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(AES-128CTSmodewith96-bitSHA-1HMAC)
407/18/1121:08:09host/full.qualified.domain.name@REALM.TLD(ArcFourwithHMAC/md5)
MappingfromKerberosprincipaltoOSuseraccount
HadoopmapsKerberosprincipaltoOSuseraccountusingtherulespecifiedbyhadoop.security.auth_to_localwhich
worksinthesamewayastheauth_to_localinKerberosconfigurationfile(krb5.conf)
.Inaddition,Hadoop
auth_to_localmappingsupportsthe/Lflagthatlowercasesthereturnedname.
Bydefault,itpicksthefirstcomponentofprincipalnameasausernameiftherealmsmatchestothe
default_realm(usuallydefinedin/etc/krb5.conf).Forexample,host/full.qualified.domain.name@REALM.TLDis
mappedtohostbydefaultrule.
Mappingfromusertogroup
ThoughfilesonHDFSareassociatedtoownerandgroup,Hadoopdoesnothavethedefinitionofgroupbyitself.
MappingfromusertogroupisdonebyOSorLDAP.
Youcanchangeawayofmappingbyspecifyingthenameofmappingproviderasavalueof
hadoop.security.group.mappingSeeHDFSPermissionsGuidefordetails.
PracticallyyouneedtomanageSSOenvironmentusingKerberoswithLDAPforHadoopinsecuremode.
Proxyuser
SomeproductssuchasApacheOoziewhichaccesstheservicesofHadooponbehalfofendusersneedtobeable
toimpersonateendusers.Youcanconfigureproxyuserusingpropertieshadoop.proxyuser.$superuser.hostsalong
witheitherorbothofhadoop.proxyuser.$superuser.groupsandhadoop.proxyuser.$superuser.users.
Forexample,byspecifyingasbelowincoresite.xml,usernamedoozieaccessingfromanyhostcanimpersonate
anyuserbelongingtoanygroup.
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>*</value>
</property>
Usernamedoozieaccessingfromanyhostcanimpersonateuser1anduser2byspecifyingasbelowincore
site.xml.
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
3/8
11/3/2014
</property>
<property>
<name>hadoop.proxyuser.oozie.users</name>
<value>user1,user2</value>
</property>
Thehadoop.proxyuser.$superuser.hostsacceptslistofipaddresses,ipaddressrangesinCIDRformatand/orhost
names.
Forexample,byspecifyingasbelowincoresite.xml,usernamedoozieaccessingfromhostsintherange
10.222.0.015and10.113.221.221canimpersonateanyuserbelongingtoanygroup.
propertynamehadoop.proxyuser.oozie.hosts/namevalue10.222.0.0/16,10.113.221.221/value/property
propertynamehadoop.proxyuser.oozie.groups/namevalue*/value/property
SecureDataNode
BecausethedatatransferprotocolofDataNodedoesnotusetheRPCframeworkofHadoop,DataNodemust
authenticateitselfbyusingprivilegedportswhicharespecifiedbydfs.datanode.addressand
dfs.datanode.http.address.Thisauthenticationisbasedontheassumptionthattheattackerwon'tbeabletoget
rootprivileges.
Whenyouexecutehdfsdatanodecommandasroot,serverprocessbindsprivilegedportatfirst,thendrops
privilegeandrunsastheuseraccountspecifiedbyHADOOP_SECURE_DN_USER.Thisstartupprocessusesjsvc
installedtoJSVC_HOME.YoumustspecifyHADOOP_SECURE_DN_USERandJSVC_HOMEasenvironmentvariables
onstartup(inhadoopenv.sh).
Dataconfidentiality
DataEncryptiononRPC
Thedatatransferedbetweenhadoopservicesandclients.Settinghadoop.rpc.protectionto"privacy"inthecore
site.xmlactivatedataencryption.
DataEncryptiononBlockdatatransfer.
Youneedtosetdfs.encrypt.data.transferto"true"inthehdfssite.xmlinordertoactivatedataencryptionfordata
transferprotocolofDataNode.
DataEncryptiononHTTP
DatatransferbetweenWebconsoleandclientsareprotectedbyusingSSL(HTTPS).
Configuration
PermissionsforbothHDFSandlocalfileSystempaths
ThefollowingtablelistsvariouspathsonHDFSandlocalfilesystems(onallnodes)andrecommended
permissions:
Filesystem
Path
User:Group
Permissions
local
dfs.namenode.name.dir
hdfs:hadoop
drwx
local
dfs.datanode.data.dir
hdfs:hadoop
drwx
local
$HADOOP_LOG_DIR
hdfs:hadoop
drwxrwxrx
local
$YARN_LOG_DIR
yarn:hadoop
drwxrwxrx
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
4/8
11/3/2014
local
yarn.nodemanager.local-dirs
yarn:hadoop
drwxrxrx
local
yarn.nodemanager.log-dirs
yarn:hadoop
drwxrxrx
local
containerexecutor
root:hadoop
Srs
local
conf/container-executor.cfg
root:hadoop
hdfs
hdfs:hadoop
drwxrxrx
hdfs
/tmp
hdfs:hadoop
drwxrwxrwxt
hdfs
/user
hdfs:hadoop
drwxrxrx
hdfs
yarn.nodemanager.remote-app-log-dir
yarn:hadoop
drwxrwxrwxt
hdfs
mapreduce.jobhistory.intermediate-done-dir
mapred:hadoop
drwxrwxrwxt
hdfs
mapreduce.jobhistory.done-dir
mapred:hadoop
drwxrx
CommonConfigurations
InordertoturnonRPCauthenticationinhadoop,setthevalueofhadoop.security.authenticationpropertyto
"kerberos",andsetsecurityrelatedsettingslistedbelowappropriately.
Thefollowingpropertiesshouldbeinthecore-site.xmlofallthenodesinthecluster.
Configurationforconf/core-site.xml
Parameter
Value
Notes
hadoop.security.authentication
kerberos
simple:Noauthentication.(default)
kerberos:EnableauthenticationbyKerberos.
hadoop.security.authorization
true
EnableRPCservicelevelauthorization.
hadoop.rpc.protection
authentication
authentication:authenticationonly(default)
integrity:integritycheckinadditiontoauthentication
privacy:dataencryptioninadditiontointegrity
hadoop.security.auth_to_local
RULE:exp1
RULE:exp2
...
DEFAULT
Thevalueisstringcontainingnewlinecharacters.SeeKerberos
documentation
forformatforexp.
hadoop.proxyuser.superuser.hosts
commaseparatedhostsfromwhichsuperuseraccessareallowdto
impersonation.*meanswildcard.
hadoop.proxyuser.superuser.groups
commaseparatedgroupstowhichusersimpersonatedbysuperuser
belongs.*meanswildcard.
NameNode
Configurationforconf/hdfs-site.xml
Parameter
Value
Notes
dfs.block.access.token.enable
true
EnableHDFSblockaccesstokensfor
secureoperations.
dfs.https.enable
true
Thisvalueisdeprecated.Use
dfs.http.policy
dfs.http.policy
HTTP_ONLYorHTTPS_ONLYor
HTTP_AND_HTTPS
HTTPS_ONLYturnsoffhttpaccess.This
optiontakesprecedenceoverthe
deprecatedconfigurationdfs.https.enable
andhadoop.ssl.enabled.
dfs.namenode.https-address
nn_host_fqdn:50470
dfs.https.port
50470
dfs.namenode.keytab.file
/etc/security/keytab/nn.service.keytab
KerberoskeytabfilefortheNameNode.
dfs.namenode.kerberos.principal
nn/_HOST@REALM.TLD
Kerberosprincipalnameforthe
NameNode.
dfs.namenode.kerberos.https.principal
host/_HOST@REALM.TLD
HTTPSKerberosprincipalnameforthe
NameNode.
SecondaryNameNode
Configurationforconf/hdfs-site.xml
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
5/8
11/3/2014
Parameter
Value
dfs.namenode.secondary.http-address
Notes
c_nn_host_fqdn:50090
dfs.namenode.secondary.https-port
50470
dfs.namenode.secondary.keytab.file
/etc/security/keytab/sn.service.keytab
Kerberoskeytabfileforthe
NameNode.
dfs.namenode.secondary.kerberos.principal
sn/_HOST@REALM.TLD
Kerberosprincipalnameforthe
SecondaryNameNode.
dfs.namenode.secondary.kerberos.https.principal
host/_HOST@REALM.TLD
HTTPSKerberosprincipalname
fortheSecondaryNameNode.
DataNode
Configurationforconf/hdfs-site.xml
Parameter
Value
Notes
dfs.datanode.data.dir.perm
700
dfs.datanode.address
0.0.0.0:1004
SecureDataNodemustuseprivilegedportin
ordertoassurethattheserverwasstarted
securely.Thismeansthattheservermust
bestartedviajsvc.
dfs.datanode.http.address
0.0.0.0:1006
SecureDataNodemustuseprivilegedportin
ordertoassurethattheserverwasstarted
securely.Thismeansthattheservermust
bestartedviajsvc.
dfs.datanode.https.address
0.0.0.0:50470
dfs.datanode.keytab.file
/etc/security/keytab/dn.service.keytab
KerberoskeytabfilefortheDataNode.
dfs.datanode.kerberos.principal
dn/_HOST@REALM.TLD
KerberosprincipalnamefortheDataNode.
dfs.datanode.kerberos.https.principal
host/_HOST@REALM.TLD
HTTPSKerberosprincipalnameforthe
DataNode.
dfs.encrypt.data.transfer
false
settotruewhenusingdataencryption
WebHDFS
Configurationforconf/hdfs-site.xml
Parameter
Value
Notes
dfs.webhdfs.enabled
http/_HOST@REALM.TLD
EnablesecurityonWebHDFS.
dfs.web.authentication.kerberos.principal
http/_HOST@REALM.TLD
KerberoskeytabfilefortheWebHDFS.
dfs.web.authentication.kerberos.keytab
/etc/security/keytab/http.service.keytab
KerberosprincipalnameforWebHDFS.
ResourceManager
Configurationforconf/yarn-site.xml
Parameter
Value
Notes
yarn.resourcemanager.keytab
/etc/security/keytab/rm.service.keytab
KerberoskeytabfilefortheResourceManager.
yarn.resourcemanager.principal
rm/_HOST@REALM.TLD
Kerberosprincipalnameforthe
ResourceManager.
NodeManager
Configurationforconf/yarn-site.xml
Parameter
Value
Notes
yarn.nodemanager.keytab
/etc/security/keytab/nm.service.keytab
Kerberoskeytabfilefor
theNodeManager.
yarn.nodemanager.principal
nm/_HOST@REALM.TLD
Kerberosprincipalname
fortheNodeManager.
yarn.nodemanager.containerexecutor.class
org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
Use
LinuxContainerExecutor.
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
6/8
11/3/2014
yarn.nodemanager.linuxcontainer-executor.group
hadoop
Unixgroupofthe
NodeManager.
yarn.nodemanager.linuxcontainer-executor.path
/path/to/bin/containerexecutor
Thepathtothe
executableofLinux
containerexecutor.
ConfigurationforWebAppProxy
TheWebAppProxyprovidesaproxybetweenthewebapplicationsexportedbyanapplicationandanenduser.If
securityisenableditwillwarnusersbeforeaccessingapotentiallyunsafewebapplication.Authenticationand
authorizationusingtheproxyishandledjustlikeanyotherprivilegedwebapplication.
Configurationforconf/yarn-site.xml
Parameter
Value
Notes
yarn.webproxy.address
WebAppProxyhost:port
forproxytoAMweb
apps.
host:portifthisisthesameasyarn.resourcemanager.webapp.addressoritisnot
definedthentheResourceManagerwillruntheproxyotherwiseastandalone
proxyserverwillneedtobelaunched.
yarn.webproxy.keytab
/etc/security/keytab/web
app.service.keytab
KerberoskeytabfilefortheWebAppProxy.
yarn.webproxy.principal
wap/_HOST@REALM.TLD
KerberosprincipalnamefortheWebAppProxy.
LinuxContainerExecutor
AContainerExecutorusedbyYARNframeworkwhichdefinehowanycontainerlaunchedandcontrolled.
ThefollowingaretheavailableinHadoopYARN:
ContainerExecutor
Description
DefaultContainerExecutor
ThedefaultexecutorwhichYARNusestomanagecontainerexecution.Thecontainerprocess
hasthesameUnixuserastheNodeManager.
LinuxContainerExecutor
SupportedonlyonGNU/Linux,thisexecutorrunsthecontainersaseithertheYARNuserwho
submittedtheapplication(whenfullsecurityisenabled)orasadedicateduser(defaultsto
nobody)whenfullsecurityisnotenabled.Whenfullsecurityisenabled,thisexecutorrequires
alluseraccountstobecreatedontheclusternodeswherethecontainersarelaunched.Ituses
asetuidexecutablethatisincludedintheHadoopdistribution.TheNodeManagerusesthis
executabletolaunchandkillcontainers.Thesetuidexecutableswitchestotheuserwhohas
submittedtheapplicationandlaunchesorkillsthecontainers.Formaximumsecurity,this
executorsetsuprestrictedpermissionsanduser/groupownershipoflocalfilesanddirectories
usedbythecontainerssuchasthesharedobjects,jars,intermediatefiles,logfilesetc.
Particularlynotethat,becauseofthis,excepttheapplicationownerandNodeManager,noother
usercanaccessanyofthelocalfiles/directoriesincludingthoselocalizedaspartofthe
distributedcache.
TobuildtheLinuxContainerExecutorexecutablerun:
$mvnpackage-Dcontainer-executor.conf.dir=/etc/hadoop/
Thepathpassedin-Dcontainer-executor.conf.dirshouldbethepathontheclusternodeswhereaconfigurationfile
forthesetuidexecutableshouldbelocated.Theexecutableshouldbeinstalledin$HADOOP_YARN_HOME/bin.
Theexecutablemusthavespecificpermissions:6050orSrspermissionsuserownedbyroot(superuser)
andgroupownedbyaspecialgroup(e.g.hadoop)ofwhichtheNodeManagerUnixuseristhegroupmemberand
noordinaryapplicationuseris.Ifanyapplicationuserbelongstothisspecialgroup,securitywillbecompromised.
Thisspecialgroupnameshouldbespecifiedfortheconfigurationpropertyyarn.nodemanager.linux-containerexecutor.groupinbothconf/yarn-site.xmlandconf/container-executor.cfg.
Forexample,let'ssaythattheNodeManagerisrunasuseryarnwhoispartofthegroupsusersandhadoop,any
ofthembeingtheprimarygroup.Letalsobethatusershasbothyarnandanotheruser(applicationsubmitter)
aliceasitsmembers,andalicedoesnotbelongtohadoop.Goingbytheabovedescription,thesetuid/setgid
executableshouldbeset6050orSrswithuserownerasyarnandgroupownerashadoopwhichhasyarn
asitsmember(andnotuserswhichhasalicealsoasitsmemberbesidesyarn).
TheLinuxTaskControllerrequiresthatpathsincludingandleadinguptothedirectoriesspecifiedin
yarn.nodemanager.local-dirsandyarn.nodemanager.log-dirstobeset755permissionsasdescribedaboveinthetable
onpermissionsondirectories.
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
7/8
11/3/2014
conf/container-executor.cfg
Theexecutablerequiresaconfigurationfilecalledcontainer-executor.cfgtobepresentintheconfigurationdirectory
passedtothemvntargetmentionedabove.
TheconfigurationfilemustbeownedbytheuserrunningNodeManager(useryarnintheaboveexample),group
ownedbyanyoneandshouldhavethepermissions0400orr.
Theexecutablerequiresfollowingconfigurationitemstobepresentintheconf/container-executor.cfgfile.The
itemsshouldbementionedassimplekey=valuepairs,oneperline:
Configurationforconf/yarn-site.xml
Parameter
Value
Notes
yarn.nodemanager.linuxcontainerexecutor.group
hadoop
UnixgroupoftheNodeManager.Thegroupownerofthecontainer
executorbinaryshouldbethisgroup.Shouldbesameasthevaluewith
whichtheNodeManagerisconfigured.Thisconfigurationisrequiredfor
validatingthesecureaccessofthecontainerexecutorbinary.
banned.users
hfds,yarn,mapred,bin
Bannedusers.
allowed.system.users
foo,bar
Allowedsystemusers.
min.user.id
1000
Preventothersuperusers.
Torecap,herearethelocalfilesysytempermissionsrequiredforthevariouspathsrelatedtothe
LinuxContainerExecutor:
Filesystem
Path
User:Group
Permissions
local
containerexecutor
root:hadoop
Srs
local
conf/container-executor.cfg
root:hadoop
local
yarn.nodemanager.local-dirs
yarn:hadoop
drwxrxrx
local
yarn.nodemanager.log-dirs
yarn:hadoop
drwxrxrx
MapReduceJobHistoryServer
Configurationforconf/mapred-site.xml
Parameter
Value
Notes
mapreduce.jobhistory.address
MapReduceJobHistoryServer
host:port
Defaultportis10020.
mapreduce.jobhistory.keytab
/etc/security/keytab/jhs.service.keytab
KerberoskeytabfilefortheMapReduce
JobHistoryServer.
mapreduce.jobhistory.principal
jhs/_HOST@REALM.TLD
KerberosprincipalnamefortheMapReduce
JobHistoryServer.
http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html
8/8