This is documentation for MapR Version 5.0. You can also refer to MapR documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Verify that the hadoop.rpc.protection configuration parameter is set to the same value on the MapR and HDFS clusters. This parameter takes one of three values: authentication, integrity, or privacy. The default value for a MapR cluster with security features enabled is privacy. Configure this value in the $HADOOP_HOME/conf/core-site.xml. After changing this value, you must restart Hadoop services on the node where you changed the configuration.

  2. On each node in your MapR cluster that runs the JobTracker or JobClient, create the file $HADOOP_HOME/conf/hdfs-site.xml with the following properties:

    Code Block
    languagetext
    <property>
     <name>hadoop.security.authentication</name>
     <value>kerberos</value>
    </property>
    <property>
     <name>hadoop.security.authorization</name>
     <value>true</value>
    </property>
    <property>
     <name>dfs.namenode.kerberos.principal</name>
     <!-- Name Node principal in HDFS cluster -->
     <value>hdfs/_HOST@<KERBEROS_REALM></value>
    </property>
    <property>
     <name>dfs.web.authentication.kerberos.principal</name>
     <value>HTTP/_HOST@<KERBEROS_REALM></value>
    </property>
  3. For each JobTracker node in the MapR cluster:

    1. Create the  mapr/<FQDN_OF_JOBTRACKER>@<KERBEROS_REALM> Kerberos principal in the same KDC as the one used by HDFS cluster. Note that the username for the principal must be mapr .

    2. Generate a keytab file for this principal, such as mapr.keytab, copy the keytab to the /opt/mapr/conf/ directory on the Job Tracker node, and set the keytab file's ownership to mapr:mapr and the permission mode bits to 600. 

    3. Add the following configuration parameters to the $HADOOP_HOME/conf/mapred-site.xml file:

      Code Block
      languagetext
      <property>
       <!-- Job Tracker principal in MapR cluster -->
          <name>mapreduce.jobtracker.kerberos.principal</name>
          <value>mapr/_HOST@<KERBEROS_REALM></value>
      </property>
      <property>
        <name>mapreduce.jobtracker.keytab.file</name>
        <value>/opt/mapr/hadoop/hadoop-0.20.2/conf/mapr.keytab</value>
      </property>
    4. Modify the HADOOP_JOBTRACKER_OPTS variable in /opt/mapr/conf/env.sh by replacing ${MAPR_LOGIN_OPTS} with ${HYBRID_LOGIN_OPTS}.

    5. Restart the JobTracker and TaskTracker services.
  4. Launch any commands that need to access the HDFS cluster with the “HADOOP_OPTS=-Dhadoop.login=hybrid” Java property.

Case 3: Secure MapR Cluster and

...

Non-Secure HDFS Cluster

If a secure MapR cluster is accessing an insecure non-secure HDFS cluster with the  hdfs:// protocol, modify the /opt/mapr/conf/env.sh file on each node to replace ${MAPR_LOGIN_OPTS} with “-Dhadoop.login=maprsasl_permissive” in the HADOOP_JOBTRACKER_OPTS  and HADOOP_TASKTRACKER_OPTS variables.

 Launch any commands that need to access the HDFS cluster with the “HADOOP_OPTS=-Dhadoop.login=hybrid” Java property.

Case 4: Secure MapR Cluster with Secure and

...

Non-Secure HDFS Cluster

If the MapR cluster is secure and the HDFS cluster is both secure and insecurenon-secure, complete the steps described in Step 2, above.

If a secure MapR cluster is accessing an insecure non-secure HDFS cluster with the  hdfs:// protocol, modify the /opt/mapr/conf/env.sh file on each node to replace ${MAPR_LOGIN_OPTS} with “-Dhadoop.login=maprsasl_permissive” in the HADOOP_JOBTRACKER_OPTS  and HADOOP_TASKTRACKER_OPTS variables.

...