Database Reference
In-Depth Information
access HDFS, since TGTs last for 10 hours by default (and can be renewed for up to a
week). It's common to automate authentication at operating system login time, thereby
providing single sign-on to Hadoop.
In cases where you don't want to be prompted for a password (for running an unattended
MapReduce job, for example), you can create a Kerberos keytab file using the ktutil
command. A keytab is a file that stores passwords and may be supplied to kinit with
the -t option.
An example
Let's look at an example of the process in action. The first step is to enable Kerberos au-
thentication by setting the hadoop.security.authentication property in core-
site.xml to kerberos . [ 74 ] The default setting is simple , which signifies that the old
backward-compatible (but insecure) behavior of using the operating system username to
determine identity should be employed.
We also need to enable service-level authorization by setting ha-
doop.security.authorization to true in the same file. You may configure ac-
cess control lists (ACLs) in the hadoop-policy.xml configuration file to control which
users and groups have permission to connect to each Hadoop service. Services are defined
at the protocol level, so there are ones for MapReduce job submission, namenode commu-
nication, and so on. By default, all ACLs are set to * , which means that all users have per-
mission to access each service; however, on a real cluster you should lock the ACLs down
to only those users and groups that should have access.
The format for an ACL is a comma-separated list of usernames, followed by whitespace,
followed by a comma-separated list of group names. For example, the ACL pre-
ston,howard directors,inventors would authorize access to users named
preston or howard , or in groups directors or inventors .
With Kerberos authentication turned on, let's see what happens when we try to copy a loc-
al file to HDFS:
% hadoop fs -put quangle.txt .
10/07/03 15:44:58 WARN ipc.Client: Exception encountered while
connecting to the
server: javax.security.sasl.SaslException: GSS initiate failed
[Caused by
GSSException: No valid credentials provided (Mechanism level: Failed
to find
any Kerberos tgt)]
Bad connection to FS. command aborted. exception: Call to localhost/
Previous Page
Next Page
Hadoop: The Definitive Guide
Search WWH ::




Custom Search
Home