-
Goals:
- Setup FreeIPA to enable FreeIPA as central store of posix data using SSSD
- Create end users and groups in its directory
- Enable Kerberos for the HDP Cluster using FreeIPA server KDC to store Hadoop principals
-
Pre-requisites:
- Ambari 2.1
- Deploy HDP 2.3 using Ambari
-
Steps: 3. Install FreeIPA using Ambari 4. (optional) Create example users
-
Further reading on setting up kerberos on Hadoop
0- Create /etc/hosts entry
#you may need to replace eth0 below
host=`hostname -f`
eth="eth0"
ip=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
echo "${ip} $(hostname -f) $(hostname) sandbox.hortonworks.com" | sudo tee -a /etc/hosts
1- Install Ambari 2.1
- For CentOS 7 you can use the below:
systemctl stop firewalld
systemctl disable firewalld
## el7 defaults to MariaDB so we need the community release of MySQL
sudo rpm -Uvh http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm
## use ambari-bootstrap to install Ambari
sudo yum -y install git python-argparse
git clone -b centos-7 https://github.com/seanorama/ambari-bootstrap
cd ambari-bootstrap
sudo install_ambari_server=true install_ambari-agent=true ./ambari-bootstrap.sh
ambari-server restart
- For CentOS6.x you can use the below:
## use ambari-bootstrap to install Ambari
sudo yum -y install git python-argparse
git clone https://github.com/seanorama/ambari-bootstrap
cd ambari-bootstrap
sudo install_ambari_server=true install_ambari-agent=true ./ambari-bootstrap.sh
2- Deploy HDP 2.3
- Deploy manually from http://YOURHOST:8080
- choosing to manually register the hosts since the Ambari Agent is already registered
- Or use a Blueprint
export ambari_services="AMBARI_METRICS KNOX YARN ZOOKEEPER TEZ PIG SLIDER MAPREDUCE2 HIVE HDFS HBASE"
bash ./deploy/deploy-recommended-cluster.bash
3- Setup FreeIPA on a separate CentOS host by configuring and running the sample scripts.
yum install -y git
cd ~
git clone https://github.com/abajwa-hw/security-workshops
#configure/run script to install/start IPA server
~/security-workshops/scripts/run_setupFreeIPA.sh
# (Optional) configure/run script to import groups/users and their kerberos princials
~/security-workshops/scripts/run_FreeIPA_importusers.sh
More details/video can be found here
4- Ensure IP and sandbox VMs are reachable from each other by:
- adding entry for ldap.hortonworks.com on sandbox VM
- adding entry for sandbox.hortonworks.com on IPA VM
vi /etc/hosts
- Ensure the IPA client was setup correctly on HDP by checking that the LDAP users are recognized by the OS.
id paul #or some other user contained in your LDAP
groups paul #or some other user contained in your LDAP
- If you are not using the prebuilt VMs where this was already setup, you can install the client using the below (replace the values for your own setup). On multinode setup, this should be run on all nodes. If using this guide: When prompted enter: yes > yes > hortonworks
yum install ipa-client openldap-clients -y
ipa-client-install --domain=hortonworks.com --server=ldap.hortonworks.com --mkhomedir --ntp-server=north-america.pool.ntp.org -p [email protected] -W
- Now re-try the id/groups command above and it should work.
-
Unless specified otherwise, the below steps are to be run on the HDP node
-
In Ambari, start security wizard by clicking Admin -> Kerberos and click Enable Kerberos. Then select "Manage Kerberos principals and key tabs manually" option
-
Remove clustername from smoke/hdfs principals to remove the
-${cluster_name}
references to look like below- smoke user principal: ${cluster-env/smokeuser}@${realm}
- HDFS user principal: ${hadoop-env/hdfs_user}@${realm}
- HBase user principal: ${hbase-env/hbase_user}@${realm}
-
Paste contents to a file on both IPA host and on the HDP node, making sure to remove empty lines at the end.
vi kerberos.csv
- If you are deploying storm, the storm user maybe missing from the storm USER row. If you see something like the below:
[email protected],USER,,/etc
replace the ,,
with ,storm,
[email protected],USER,storm,/etc
- On the IPA node Create principals using csv file
## authenticate
kinit admin
awk -F"," '/SERVICE/ {print "ipa service-add --force "$3}' kerberos.csv | sort -u > ipa-add-spn.sh
awk -F"," '/USER/ {print "ipa user-add "$5" --first="$5" --last=Hadoop --shell=/sbin/nologin"}' kerberos.csv > ipa-add-upn.sh
sh ipa-add-spn.sh
sh ipa-add-upn.sh
- On the HDP node authenticate and create the keytabs
## authenticate
sudo kinit admin
ipa_server=$(cat /etc/ipa/default.conf | awk '/^server =/ {print $3}')
sudo mkdir /etc/security/keytabs/
sudo chown root:hadoop /etc/security/keytabs/
awk -F"," '/'$(hostname -f)'/ {print "ipa-getkeytab -s '${ipa_server}' -p "$3" -k "$6";chown "$7":"$9,$6";chmod "$11,$6}' kerberos.csv | sort -u > gen_keytabs.sh
sudo bash ./gen_keytabs.sh
- Verify kinit works before proceeding (should not give errors)
sudo sudo -u hdfs kinit -kt /etc/security/keytabs/nn.service.keytab nn/$(hostname -f)@HORTONWORKS.COM
sudo sudo -u ambari-qa kinit -kt /etc/security/keytabs/smokeuser.headless.keytab [email protected]
sudo sudo -u hdfs kinit -kt /etc/security/keytabs/hdfs.headless.keytab [email protected]
- Try to run commands without authenticating to kerberos.
$ hadoop fs -ls /
15/07/15 14:32:05 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
$ curl -u someuser -skL "http://$(hostname -f):50070/webhdfs/v1/user/?op=LISTSTATUS"
<title>Error 401 Authentication required</title>
- Get a token
## for the current user
sudo su - gooduser
kinit
## for any other user
kinit someuser
- Use the cluster
- Hadoop Commands
$ hadoop fs -ls / Found 8 items [...]
* WebHDFS
curl -skL --negotiate -u : "http://$(hostname -f):50070/webhdfs/v1/user/?op=LISTSTATUS"
* Hive *(using Beeline or another Hive JDBC client)*
* Hive in Binary mode *(the default)*
beeline -u "jdbc:hive2://localhost:10000/default;principal=hive/$(hostname -f)@HORTONWORKS.COM"
* Hive in HTTP mode
beeline -u "jdbc:hive2://localhost:10001/default;transportMode=http;httpPath=cliservice;principal=HTTP/$(hostname -f)@HORTONWORKS.COM"