HDP 2.0.6.0 configurations (with security) 0.
@@ -61,4 +61,103 @@ | ||
61 | 61 | </description> |
62 | 62 | </property> |
63 | 63 | |
64 | + <property> | |
65 | + <name>dfs.namenode.kerberos.principal</name> | |
66 | + <value>hdfs/_HOST@${this.realm}</value> | |
67 | + <!-- _HOST is replaced with the fs.defaultFS's host name --> | |
68 | + <!-- <value>hdfs/${this.namenode.fqdn}@${this.realm}</value> --> | |
69 | + <description>Kerberos principal name for the NameNode</description> | |
70 | + </property> | |
71 | + <property> | |
72 | + <name>dfs.namenode.keytab.file</name> | |
73 | + <value>${this.keytab.dir}/nn.keytab</value> | |
74 | + <description> | |
75 | + Combined keytab file containing the namenode service and host | |
76 | + principals. | |
77 | + </description> | |
78 | + </property> | |
79 | + <property> | |
80 | + <name>dfs.secondary.namenode.kerberos.principal</name> | |
81 | + <value>hdfs/${this.secondary.namenode.fqdn}@${this.realm}</value> | |
82 | + <!-- <value>hdfs/_HOST@${this.realm}</value> --> | |
83 | + <description> | |
84 | + Kerberos principal name for the secondary NameNode. | |
85 | + </description> | |
86 | + </property> | |
87 | + <property> | |
88 | + <name>dfs.secondary.namenode.keytab.file</name> | |
89 | + <value>${this.keytab.dir}/cn.keytab</value> | |
90 | + <description> | |
91 | + Combined keytab file containing the namenode service and host | |
92 | + principals. | |
93 | + </description> | |
94 | + </property> | |
95 | + <!-- for KSSL (NOT RECOMMENDED). Note: N/A on the CDH4 --> | |
96 | + <property> | |
97 | + <name>hadoop.security.use-weak-http-crypto</name> | |
98 | + <value>false</value> | |
99 | + </property> | |
100 | + <property> | |
101 | + <name>dfs.block.access.token.enable</name> | |
102 | + <value>true</value> | |
103 | + <description> | |
104 | + If "true", access tokens are used as capabilities for accessing | |
105 | + datanodes. | |
106 | + If "false", no access tokens are checked on accessing datanodes. | |
107 | + </description> | |
108 | + </property> | |
109 | + <property> | |
110 | + <name>dfs.datanode.kerberos.principal</name> | |
111 | + <value>hdfs/localhost@${this.realm}</value> | |
112 | + <!-- <value>hdfs/_HOST@${this.realm}</value> --> | |
113 | + <description> | |
114 | + The Kerberos principal that the DataNode runs as. "_HOST" is | |
115 | + replaced by the real host name. | |
116 | + </description> | |
117 | + </property> | |
118 | + <property> | |
119 | + <name>dfs.datanode.keytab.file</name> | |
120 | + <value>${this.keytab.dir}/dn.keytab</value> | |
121 | + <description> | |
122 | + The filename of the keytab file for the DataNode. | |
123 | + </description> | |
124 | + </property> | |
125 | + <property> | |
126 | + <name>dfs.namenode.kerberos.internal.spnego.principal</name> | |
127 | + <value>${dfs.web.authentication.kerberos.principal}</value> | |
128 | + <!-- <value>HTTP/_HOST@${this.realm}</value> --> | |
129 | + <!-- _HOST is replaced with dfs.namenode.http-address's host name. --> | |
130 | + </property> | |
131 | + <property> | |
132 | + <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name> | |
133 | + <value>HTTP/${this.secondary.namenode.fqdn}@${this.realm}</value> | |
134 | + <!-- <value>HTTP/_HOST@${this.realm}</value> --> | |
135 | + <!-- _HOST is replaced with dfs.namenode.secondary.http-address's host name. --> | |
136 | + </property> | |
137 | + | |
138 | + <property> | |
139 | + <name>dfs.datanode.address</name> | |
140 | + <value>0.0.0.0:1004</value> | |
141 | + </property> | |
142 | + <property> | |
143 | + <name>dfs.datanode.http.address</name> | |
144 | + <value>0.0.0.0:1006</value> | |
145 | + </property> | |
146 | + | |
147 | + <property> | |
148 | + <name>dfs.namenode.http-address</name> | |
149 | + <value>${this.namenode.fqdn}:50070</value> | |
150 | + </property> | |
151 | + <property> | |
152 | + <name>dfs.namenode.secondary.http-address</name> | |
153 | + <value>${this.secondary.namenode.fqdn}:50090</value> | |
154 | + </property> | |
155 | + <property> | |
156 | + <name>dfs.web.authentication.kerberos.principal</name> | |
157 | + <value>HTTP/_HOST@${this.realm}</value> | |
158 | + </property> | |
159 | + <property> | |
160 | + <name>dfs.web.authentication.kerberos.keytab</name> | |
161 | + <value>${this.keytab.dir}/HTTP.keytab</value> | |
162 | + </property> | |
64 | 163 | </configuration> |
@@ -28,6 +28,15 @@ | ||
28 | 28 | <!-- <value>grid.example.com</value> --> |
29 | 29 | </property> |
30 | 30 | <property> |
31 | + <name>this.realm</name> | |
32 | + <value>LOCALDOMAIN</value> | |
33 | + <!-- <value>GRID.EXAMPLE.COM</value> --> | |
34 | + </property> | |
35 | + <property> | |
36 | + <name>this.keytab.dir</name> | |
37 | + <value>/grid/etc/keytabs/localhost</value> | |
38 | + </property> | |
39 | + <property> | |
31 | 40 | <name>this.namenode.fqdn</name> |
32 | 41 | <value>localhost</value> |
33 | 42 | <!-- <value>${this.cluster.name}-nn.${this.domain}</value> --> |
@@ -42,4 +51,92 @@ | ||
42 | 51 | <value>/tmp/hadoop-${user.name}</value> |
43 | 52 | </property> |
44 | 53 | |
54 | + <property> | |
55 | + <name>hadoop.security.authentication</name> | |
56 | + <value>kerberos</value> | |
57 | + <description> | |
58 | + Set the authentication for the cluster. Valid values are: simple or | |
59 | + kerberos. | |
60 | + </description> | |
61 | + </property> | |
62 | + <property> | |
63 | + <name>hadoop.security.authorization</name> | |
64 | + <value>true</value> | |
65 | + <description> | |
66 | + Enable authorization for different protocols. | |
67 | + </description> | |
68 | + </property> | |
69 | + <property> | |
70 | + <name>hadoop.security.auth_to_local</name> | |
71 | + <value> | |
72 | + RULE:[2:$1@$0](.*@${this.realm})s/@.*// | |
73 | + RULE:[1:$1@$0](.*@${this.realm})s/@.*// | |
74 | + RULE:[2:$1@$0](hdfs@.*${this.realm})s/.*/hdfs/ | |
75 | + RULE:[2:$1@$0](yarn@.*${this.realm})s/.*/yarn/ | |
76 | + RULE:[2:$1@$0](mapred@.*${this.realm})s/.*/mapred/ | |
77 | + DEFAULT</value> | |
78 | + </property> | |
79 | + <property> | |
80 | + <name>hadoop.security.group.mapping</name> | |
81 | + <value>org.apache.hadoop.security.JniBasedUnixGroupsMapping</value> | |
82 | + </property> | |
83 | + <property> | |
84 | + <name>hadoop.security.groups.cache.secs</name> | |
85 | + <value>14400</value> | |
86 | + </property> | |
87 | + <property> | |
88 | + <name>hadoop.kerberos.kinit.command</name> | |
89 | + <value>/usr/bin/kinit</value> | |
90 | + </property> | |
91 | + | |
92 | + <property> | |
93 | + <name>hadoop.http.filter.initializers</name> | |
94 | + <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value> | |
95 | + <!-- <value>org.apache.hadoop.http.lib.StaticUserWebFilter</value> --> | |
96 | + <description>The name of a class that initializes an input filter for Jetty. | |
97 | + This filter will always return Dr.Who as the web user when the servlets | |
98 | + query for the authenticated user </description> | |
99 | + </property> | |
100 | + <property> | |
101 | + <name>hadoop.http.authentication.signature.secret.file</name> | |
102 | + <value>/grid/etc/hadoop-http-auth-signature-secret</value> | |
103 | + </property> | |
104 | + <property> | |
105 | + <name>hadoop.http.authentication.cookie.domain</name> | |
106 | + <value>${this.domain}</value> | |
107 | + </property> | |
108 | + <property> | |
109 | + <name>hadoop.http.authentication.type</name> | |
110 | + <value>kerberos</value> | |
111 | + <description>Defines authentication used for the HTTP web-consoles. | |
112 | + The supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#. | |
113 | + The dfeault value is simple.</description> | |
114 | + </property> | |
115 | + <property> | |
116 | + <name>hadoop.http.authentication.kerberos.principal</name> | |
117 | + <value>HTTP/localhost@${this.realm}</value> | |
118 | + <!-- <value>HTTP/_HOST@${this.realm}</value> | |
119 | + _HOST N/A!: v1.0, HDP1.2; OK: v2.0, CDH3, CDH4 --> | |
120 | + </property> | |
121 | + <property> | |
122 | + <name>hadoop.http.authentication.kerberos.keytab</name> | |
123 | + <value>${this.keytab.dir}/HTTP.keytab</value> | |
124 | + </property> | |
125 | + | |
126 | + <property> | |
127 | + <name>hadoop.proxyuser.oozie.hosts</name> | |
128 | + <value>localhost</value> | |
129 | + </property> | |
130 | + <property> | |
131 | + <name>hadoop.proxyuser.oozie.groups</name> | |
132 | + <value>hadoopers</value> | |
133 | + </property> | |
134 | + <property> | |
135 | + <name>hadoop.proxyuser.httpfs.hosts</name> | |
136 | + <value>localhost</value> | |
137 | + </property> | |
138 | + <property> | |
139 | + <name>hadoop.proxyuser.httpfs.groups</name> | |
140 | + <value>hadoopers</value> | |
141 | + </property> | |
45 | 142 | </configuration> |
@@ -67,4 +67,23 @@ | ||
67 | 67 | </property> |
68 | 68 | --> |
69 | 69 | |
70 | + <property> | |
71 | + <name>mapreduce.jobhistory.principal</name> | |
72 | + <value>mapred/${this.jobhistory.fqdn}@${this.realm}</value> | |
73 | + <!-- <value>mapred/_HOST@${this.realm}</value> --> | |
74 | + </property> | |
75 | + <property> | |
76 | + <name>mapreduce.jobhistory.keytab</name> | |
77 | + <value>${this.keytab.dir}/jh.keytab</value> | |
78 | + </property> | |
79 | + | |
80 | + <property> | |
81 | + <name>mapreduce.jobhistory.webapp.spnego-principal</name> | |
82 | + <value>HTTP/${this.jobhistory.fqdn}@${this.realm}</value> | |
83 | + <!-- <value>HTTP/_HOST@${this.realm}</value> --> | |
84 | + </property> | |
85 | + <property> | |
86 | + <name>mapreduce.jobhistory.webapp.spnego-keytab-file</name> | |
87 | + <value>${this.keytab.dir}/HTTP.keytab</value> | |
88 | + </property> | |
70 | 89 | </configuration> |
@@ -94,5 +94,88 @@ | ||
94 | 94 | <value>MALLOC_ARENA_MAX=$MALLOC_ARENA_MAX,LD_LIBRARY_PATH=${HADOOP_COMMON_HOME}/lib/native</value> |
95 | 95 | </property> |
96 | 96 | |
97 | + <property> | |
98 | + <name>yarn.acl.enable</name> | |
99 | + <value>true</value> | |
100 | + </property> | |
101 | + <property> | |
102 | + <name>yarn.admin.acl</name> | |
103 | + <value> yarn,gridops</value> | |
104 | + </property> | |
105 | + <property> | |
106 | + <name>yarn.resourcemanager.principal</name> | |
107 | + <value>yarn/${this.resourcemanager.fqdn}@${this.realm}</value> | |
108 | + <!-- <value>yarn/_HOST@${this.realm}</value> --> | |
109 | + </property> | |
110 | + <property> | |
111 | + <name>yarn.resourcemanager.keytab</name> | |
112 | + <value>${this.keytab.dir}/rm.keytab</value> | |
113 | + </property> | |
114 | + <property> | |
115 | + <name>yarn.nodemanager.principal</name> | |
116 | + <value>yarn/localhost@${this.realm}</value> | |
117 | + <!-- <value>yarn/_HOST@${this.realm}</value> --> | |
118 | + </property> | |
119 | + <property> | |
120 | + <name>yarn.nodemanager.keytab</name> | |
121 | + <value>${this.keytab.dir}/nm.keytab</value> | |
122 | + </property> | |
123 | + | |
124 | + <property> | |
125 | + <name>yarn.nodemanager.container-executor.class</name> | |
126 | + <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value> | |
127 | + </property> | |
128 | + <property> | |
129 | + <name>yarn.nodemanager.linux-container-executor.group</name> | |
130 | + <value>yarn</value> | |
131 | + </property> | |
132 | + <property> | |
133 | + <name>yarn.nodemanager.linux-container-executor.resources-handler.class</name> | |
134 | + <value>org.apache.hadoop.yarn.server.nodemanager.util.CgroupsLCEResourcesHandler</value> | |
135 | + <description>The class which should help the LCE handle resources.</description> | |
136 | + </property> | |
137 | + <property> | |
138 | + <name>yarn.nodemanager.linux-container-executor.cgroups.hierarchy</name> | |
139 | + <value>/hadoop-yarn</value> | |
140 | + <description>The cgroups hierarchy under which to place YARN proccesses (cannot contain commas). | |
141 | + If yarn.nodemanager.linux-container-executor.cgroups.mount is false (that is, if cgroups have | |
142 | + been pre-configured), then this cgroups hierarchy must already exist and be writable by the | |
143 | + NodeManager user, otherwise the NodeManager may fail. | |
144 | + Only used when the LCE resources handler is set to the CgroupsLCEResourcesHandler.</description> | |
145 | + </property> | |
146 | + <property> | |
147 | + <name>yarn.nodemanager.linux-container-executor.cgroups.mount</name> | |
148 | + <value>false</value> | |
149 | + <description>Whether the LCE should attempt to mount cgroups if not found. | |
150 | + Only used when the LCE resources handler is set to the CgroupsLCEResourcesHandler.</description> | |
151 | + </property> | |
152 | + <property> | |
153 | + <name>yarn.nodemanager.linux-container-executor.cgroups.mount-path</name> | |
154 | + <value></value> | |
155 | + <description>Where the LCE should attempt to mount cgroups if not found. Common locations | |
156 | + include /sys/fs/cgroup and /cgroup; the default location can vary depending on the Linux | |
157 | + distribution in use. This path must exist before the NodeManager is launched. | |
158 | + Only used when the LCE resources handler is set to the CgroupsLCEResourcesHandler, and | |
159 | + yarn.nodemanager.linux-container-executor.cgroups.mount is true.</description> | |
160 | + </property> | |
161 | + | |
162 | + <property> | |
163 | + <name>yarn.resourcemanager.webapp.spnego-principal</name> | |
164 | + <value>HTTP/${this.resourcemanager.fqdn}@${this.realm}</value> | |
165 | + <!-- <value>HTTP/_HOST@${this.realm}</value> --> | |
166 | + </property> | |
167 | + <property> | |
168 | + <name>yarn.resourcemanager.webapp.spnego-keytab-file</name> | |
169 | + <value>${this.keytab.dir}/HTTP.keytab</value> | |
170 | + </property> | |
171 | + <property> | |
172 | + <name>yarn.nodemanager.webapp.spnego-principal</name> | |
173 | + <value>HTTP/localhost@${this.realm}</value> | |
174 | + <!-- <value>HTTP/_HOST@${this.realm}</value> --> | |
175 | + </property> | |
176 | + <property> | |
177 | + <name>yarn.nodemanager.webapp.spnego-keytab-file</name> | |
178 | + <value>${this.keytab.dir}/HTTP.keytab</value> | |
179 | + </property> | |
97 | 180 | </configuration> |
98 | 181 |