Once you have a Hadoop cluster that is using Kerberos for authentication, you have to do the following to configure Knox to work with that cluster.
To allow the Knox Gateway to interact with a Keberos protected Hadoop cluster, add a knox user and Knox Gateway properties to the cluster.
On every Hadoop Master perform the following commands:
Create Unix account for Knox:
useradd -g hadoop knox
Add the following lines to the
core-site.xml
on each master node near the end of the file:<property> <name>hadoop.proxyuser.knox.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.knox.hosts</name> <value>$knox-host</value> </property>
where
$knox-host
is the fully qualified domain name of the host running the gateway.Note You can usually find this by running hostname -f. You can define the knox host as * for local developer testing if Knox host does not have static IP.
Add the following lines to the
webhcat-site.xml
on each master node towards the end of the file:<property> <name>hadoop.proxyuser.knox.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.knox.hosts</name> <value>$knox-host</value> </property>
where
$knox-host
is the fully qualified domain name of the host running the gateway.Note You can usually find this by running hostname -f. You can define the knox host as * for local developer testing if Knox host does not have static IP.
On the Oozie host, add the following lines to the
oozie-site.xml
near the end of the file:<property> <name>oozie.service.ProxyUserService.proxyuser.knox.groups</name> <value>users</value> </property> <property> <name>oozie.service.ProxyUserService.proxyuser.knox.hosts</name> <value>$knox-host</value> </property>
where
$knox-host
is the fully qualified domain name of the host running the gateway.Note You can usually find this by running hostname -f on that host. You could use * for local developer testing if Knox host does not have static IP.
On the nodes runnin HiveServer2, add the following properties to the
hive-site.xml
:<property> <name>hive.server2.enable.doAs</name> <value>true</value> </property> <property> <name>hive.server2.allow.user.substitution</name> <value>true</value> </property> <property> <name>hive.server2.transport.mode</name> <value>http</value> <description>Server transport mode. "binary" or "http".</description> </property> <property> <name>hive.server2.thrift.http.port</name> <value>10001</value> <description>Port number when in HTTP mode.</description> </property> <property> <name>hive.server2.thrift.http.path</name> <value>cliservice</value> <description>Path component of URL endpoint when in HTTP mode.</description> </property>
Note Some of the properties may already be in the
hive-site.xml
. Ensure that the values match the ones above.
On the KDC, create a Kerberos principal keytab for Knox as follows:
SSH to the KDC host.
Execute
kadmin.local
to open an interactive session:kadmin.local
Add a key for knox with the following commands:
add_principal -randkey knox/knox@EXAMPLE.COM ktadd -k /etc/security/keytabs/knox.service.keytab -norandkey knox/$knox-host@EXAMPLE.COM
where:
$knox-host
is the fully qualified domain name of the Knox Gateway andEXAMPLE.COM
is the name of your KDC Realm.Close the interactive session:
exit
After preparing the cluster and creating a keytab for Knox, perform the following procedure to complete the configuration.
Copy the Knox keytab to Knox host.
Add unix account for the knox user on Knox host as follows:
useradd -g hadoop knox
Copy knox.service.keytab created on KDC host on to the Knox host
/etc/knox/conf/knox.service.keytab
.Change the owner of the file to the knox user and set the premissions as follows:
chown knox knox.service.keytab chmod 400 knox.service.keytab
Update krb5.conf at
/etc/knox/conf/krb5.conf
on Knox host.Tip You can also copy the
file provided in the Knox binary download and customize it to suit your cluster.$gateway_home
/templates/krb5.confUpdate the
/etc/knox/conf/krb5JAASLogin.conf
on Knox host.Tip You can also copy the
file provided in the Knox binary download and customize it to suit your cluster. Replace the$gateway_home
/templates/krb5JAASLogin.conf$knox-host
with the Knox Gateway FQDN andEXAMPLE.COM
with the your KDC Realm.Update
on Knox host by changing the following value:$gateway_home
/conf/gateway-site.xml<property> <name>gateway.hadoop.kerberos.secured</name> <value>true</value> <description>Boolean flag indicating whether the Hadoop cluster protected by gateway is secured with Kerberos</description> </property>
Restart Knox as follows:
su -l knox -c '$gateway_home/bin/gateway.sh stop' su -l knox -c '$gateway_home/bin/gateway.sh start'
Redeploy the Cluster Topology as follows:
Redeploy all Clusters using the following command:
$gateway_home/bin/knoxcli.sh redeploy
Verify that a new Cluster Topology WAR was created with the following command:
ls -lh /var/lib/knox/data/deployments
A new file for each with the same timestamp is created.
Note | |
---|---|
After you do the above configurations and restart Knox, Knox uses SPNego to authenticate with Hadoop services and Oozie. There is no change in the way you make calls to gateway whether you use cURL or Knox DSL. |