Wire-level security encrypts data transmission between the nodes in your cluster.
Enabling Wire-Level Security
When you set up a cluster, run the
configure.sh script on each node that you want to add to the cluster. To enable security for the cluster, follow these steps in order:
- If the cluster is running, .
configure.shscript with the
-secure -genkeysoptions on the first CLDB node in your cluster.
<CLDB_node_list>have the form
This command generates four files in the
- Copy the
cldb.keyfile to any node that has the CLDB or Zookeeper service installed.
- Copy the
ssl_truststorefiles to the
/opt/mapr/confdirectory of every node in the cluster.
Verify that the files from the previous step are owned by the user that runs cluster services. This user is
maprby default. Also, the
ssl_keystorefiles must have their UNIX permission-mode bits set to
600, and the
ssl_truststorefile must be readable to all users.
configure.sh -secureon each existing node in the cluster. The
-secureoption indicates that the node is secure.
ssl_truststorefile to any client nodes outside the cluster.
- Log in as the mapr superuser using the maprlogin command:
maprlogin password(in this command,
passwordis literal text)
hadoop mfs -setnetworkencryption on <object>command for every table, file, and directory object in MapR-FS whose traffic you wish to encrypt.
- If clients will connect to multiple secure clusters, merge the
ssl_truststorefiles with the
/opt/mapr/server/manageSSLKeys.shtool. See Setting Up the Client for more information on MapR clients.
Generating Certificates After Initial Installation
When you run the
configure.sh script at initial installation, but do not specify the
-genkeys option, the script generates a
ssl_keystore file for use by the web server for the MapR Control system. When the
configure.sh script is run with the
-genkeys option after initial installation, the system detects the existing
ssl_keystore file and exits with an error to prevent inadvertent deletion or reuse of the
ssl_keystore file. The error message will look similar to the following example:
/opt/mapr/server/configure.sh -secure -genkeys -C $CLDB_GRP -Z $ZK_GRP -RM $RM -HS $HISTORYSERVER
<hostname1>: Configuring Hadoop-2.x at /opt/mapr/hadoop/hadoop-2.x
<hostname1>: Done configuring Hadoop
<hostname1>: CLDB node list: <hostname1>:7222,<hostname2>:7222,<hostname3>:7222
<hostname1>: Zookeeper node list: <hostname1>:5181,<hostname2>:5181,<hostname3>:5181
<hostname1>: Node setup configuration: cldb fileserver historyserver nfs nodemanager resourcemanager webserver zookeeper
<hostname1>: Log can be found at: /opt/mapr/logs/configure.log
<hostname1>: /opt/mapr/conf/ssl_keystore already exists
<hostname1>: ERROR: could not generate ssl keys. See log file for more details
clush: <hostname1>: exited with exit code 1
On clusters without security features enabled, the contents of the
ssl_keystore file are unique to each node. In this case, manually delete the
ssl_keystore file on each node, then run the command
On clusters where you have customized the contents of the
ssl_keystore file, run the command
configure.sh -genkeys -nocerts to preserve your customizations.
For general information on security tickets and certificates, see Tickets and Certificates.
System Behavior Changes After Enabling Security
After enabling security features for your cluster, the following behaviors change:
- Users must authenticate with the
Components that have web UIs, such as the MapR Control System (MCS), Hive, and Oozie, require authentication.
- Several components that communicate over HTTP use HTTPS instead.
- Encryption is used for significant network traffic. Not all network traffic can be encrypted. Transmissions between ZooKeeper nodes are not encrypted.
- Access to a cluster using URIs that use the CLDB node's name or IP address, instead of the cluster name, is no longer supported, as in the following examples.
The following URIs no longer work after enabling security:
The following URIs work after enabling security:
http:///f1 <access f1 in default cluster>
In addition, several open source components require further configuration.
Disabling Wire-Level Security
To disable security features for your cluster:
- If the cluster is running, shut it down.
configure.shscript with the
-unsecureoption and specify the CLDB and ZooKeeper nodes.
- Start the cluster.
mapr-clusters.conf, the cluster is changed from