Database Reference
In-Depth Information
access HDFS, since TGTs last for 10 hours by default (and can be renewed for up to a
week). It's common to automate authentication at operating system login time, thereby
providing
single sign-on
to Hadoop.
In cases where you don't want to be prompted for a password (for running an unattended
MapReduce job, for example), you can create a Kerberos
keytab
file using the
ktutil
command. A keytab is a file that stores passwords and may be supplied to
kinit
with
the
-t
option.
An example
Let's look at an example of the process in action. The first step is to enable Kerberos au-
thentication by setting the
hadoop.security.authentication
property in
core-
backward-compatible (but insecure) behavior of using the operating system username to
determine identity should be employed.
We also need to enable service-level authorization by setting
ha-
doop.security.authorization
to
true
in the same file. You may configure ac-
cess control lists (ACLs) in the
hadoop-policy.xml
configuration file to control which
users and groups have permission to connect to each Hadoop service. Services are defined
at the protocol level, so there are ones for MapReduce job submission, namenode commu-
nication, and so on. By default, all ACLs are set to
*
, which means that all users have per-
mission to access each service; however, on a real cluster you should lock the ACLs down
to only those users and groups that should have access.
The format for an ACL is a comma-separated list of usernames, followed by whitespace,
followed by a comma-separated list of group names. For example, the ACL
pre-
ston,howard directors,inventors
would authorize access to users named
preston
or
howard
, or in groups
directors
or
inventors
.
With Kerberos authentication turned on, let's see what happens when we try to copy a loc-
al file to HDFS:
%
hadoop fs -put quangle.txt .
10/07/03 15:44:58 WARN ipc.Client: Exception encountered while
connecting to the
server: javax.security.sasl.SaslException: GSS initiate failed
[Caused by
GSSException: No valid credentials provided (Mechanism level: Failed
to find
any Kerberos tgt)]
Bad connection to FS. command aborted. exception: Call to localhost/