Hortonworks Data Platform

Hadoop Security Guide

Except where otherwise noted, this document is licensed under Creative Commons Attribution ShareAlike 3.0 License

http://creativecommons.org/licenses/by-sa/3.0/legalcode

Hortonworks Data Platform (HDP) and any of its components are not anticipated to be combined with any hardware, software or data, except as expressly recommended in this documentation.

2015-05-26

Abstract

The Hortonworks Data Platform, powered by Apache Hadoop, is a massively scalable and 100% open source platform for storing, processing and analyzing large volumes of data. It is designed to deal with data from many sources and formats in a very quick, easy and cost-effective manner. The Hortonworks Data Platform consists of the essential set of Apache Hadoop projects including MapReduce, Hadoop Distributed File System (HDFS), HCatalog, Pig, Hive, HBase, Zookeeper and Ambari. Hortonworks is the major contributor of code and patches to many of these projects. These projects have been integrated and tested as part of the Hortonworks Data Platform release process and installation and configuration tools have also been included.

Unlike other providers of platforms built using Apache Hadoop, Hortonworks contributes 100% of our code back to the Apache Software Foundation. The Hortonworks Data Platform is Apache-licensed and completely open source. We sell only expert technical support, training and partner-enablement services. All of our technology is, and will remain free and open source.

Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For more information on Hortonworks services, please visit either the Support or Training page. Feel free to Contact Us directly to discuss your specific needs.

Contents

1. Hadoop Security Features

2. Set up Authentication for Hadoop Cluster Components

1. Setting Up Security for Manual Installs

1.1. Preparing Kerberos
1.2. Installing and Configuring the KDC
1.3. Creating the Database and Setting Up the First Administrator
1.4. Creating Service Principals and Keytab Files for HDP

2. Configuring HDP

2.1. Configuration Overview
2.2. Creating Mappings Between Principals and UNIX Usernames
2.3. Adding Security Information to Configuration Files

3. Configure Secure HBase and ZooKeeper

3.1. Configure HBase Master
3.2. Create JAAS configuration files
3.3. Start HBase and ZooKeeper services
3.4. Configure secure client side access for HBase
3.5. Optional: Configure client-side operation for secure operation - Thrift Gateway
3.6. Optional: Configure client-side operation for secure operation - REST Gateway
3.7. Configure HBase for Access Control Lists (ACL)

4. Setting up One-Way Trust with Active Directory

4.1. Configure Kerberos Hadoop Realm on the AD DC
4.2. Configure the AD Domain on the KDC and Hadoop Cluster Hosts

5. Allowing Impersonation

3. Data Protection

1. Enable RPC Encryption for the Hadoop Cluster

2. Enable Data Transfer Protocol

3. Enable SSL on HDP Components

3.1. Understanding Hadoop SSL Keystore Factory
3.2. Manage SSL Certificates
3.3. Enable SSL for WebHDFS, MapReduce Shuffle, and YARN
3.4. Enable SSL on Oozie
3.5. Enable SSL on WebHBase and the HBase REST API
3.6. Enable SSL on HiveServer2

4. Connect to SSL Enabled Components

4.1. Connect to SSL Enabled HiveServer2 using JDBC
4.2. Connect to SSL Enabled Oozie Server

List of Tables

2.1. Service Principals
2.2. Service Keytab File Names
2.3. core-site.xml
2.4. core-site.xml
2.5. core-site.xml
2.6. hdfs-site.xml
2.7. yarn-site.xml
2.8. mapred-site.xml
2.9. hbase-site.xml
2.10. hive-site.xml
2.11. oozie-site.xml
2.12. webhcat-site.xml
3.1. Configure Data Protection for HDP Components
3.2. Compontents that Support SSL
3.3. Configuration Properties in ssl-server.xml

Legal notices