Install the HDP Security Administration server on a Linux host with at least 2 GB memory available for the Web application and at least 10 GB of diskspace for HDP Security Administration logs.
Note | |
---|---|
You can install the HDP Security Administration on a shared web application host. Before installing ensure that the following prerequisites have been met, see Prerequisites. |
Perform the following steps on the HDP Security Administration host.
Log on to the host as
root
.Copy the installation file and extract as follows:
Create a temporary directory, such as
/tmp/xasecure
:mkdir /tmp/xasecure
Move the installation package to the temporary directory.
Move the MySQL Connector Jar file to the temporary directory. Download the JAR from here.
Extract the contents:
tar xvf $xasecureinstallation.tar
Go to the directory where you extracted the installation files:
cd /tmp/xasecure/xasecure-$name-$build-version
Open the
install.properties
file for editing.Define the parameters for the MySQL database setup:
Table 2.1. MySQL Database Install Parameters
Parameter Value Description MYSQL_BIN
mysql Specify the command to invoke MySQL. For example, mysql
. This command is used by the script to invoke MySQL and connect to the database server.MYSQL_CONNECTOR_JAR
$path-to-mysql-connector
Specify the absolute path on the local host to the JDBC driver for MySQL including filename.[a] For example, /tmp/xasecure/mysql-connector-java.jar
db_root_password
$root-password
The password for the root MySQL account. Used by the installation script to create the HDP SA database and database user. db_host
$mysql-host
Host name of the system running MySQL server. db_user
$xadbuser
Specify a name for the user account that the installer creates and is then used to write to the database. db_name
$dbname
Specify a name for the database that Installer creates during installation. db_password
$dbpassword
Specify a password for the $xadbuser
account created by the installer during installation.audit_db_name
$auditdb
Specify a name for the audit database created by the installer during installation. audit_db_user
$auditdbuser
Specify a name for the audit database account created by the installer during installation. audit_db_password
$auditdbupw
Specify the password for the audit database account that the installer sets during installation. During installation, the script logs into the database, creates the HDP Security database named in the properties file, adds the user specified, and loads the MySQL tables.
Warning DO NOT create the HDP Security database beforehand. If the database you specify already exists the HDP Security Administration tables are not added.
Define the HDP Security Administration Server URL, which is used Security Agents and users accessing the interface for Policies and Auditing:
Table 2.2. HDP Security Administration Server URL Parameters
Parameter Value Description policymgr_external_url
$url
Specify the full URL to access the HDP Security Administration Web UI. For example, http://pm-host:6080
.policymgr_http_enabled
$true-or-false
Specify true
to allow access to the HDP Security Administration Interface on HTTP or specifyfalse
to only allow HTTPS access to the interface.In the
JAVA_HOME
parameter specify the path to the directory that contains the Java bin, for example:#------------------------- JAVA CONFIG - BEGIN ---------------------------------- # # Java Home path # JAVA_HOME='/usr/lib/jvm/jre-1.7.0-openjdk.x86_64' #------------------------- JAVA CONFIG - END ----------------------------------
Use the following parameters and values in all configurations:
Table 2.3. Required Settings (for future enhancements)
Parameter Value Description unix_user
xasecure
Parameter and value required in all configurations. unix_group
xasecure
Parameter and value required in all configurations. Use one of the following sets of parameters to define the Authentication for the HDP Security Administration Web UI:
Web UI administrators that are manually defined in the HDP Security Administration Web UI:
Table 2.4. HDP Security Administration Web UI Local Authentication Parameter
Parameter Value Description remoteLoginEnabled
false
Specify false
to manage users in the HDP Security Administration Web UI.Web UI administrators authenticated against an external Unix Server:
Table 2.5. External Unix System Users Authentication Parameters
Parameter Value Description authentication_method
UNIX
Specify UNIX
to allow users to sign in to the HDP Security Administration Web UI using their credentials from an external Unix Server.remoteLoginEnabled
true
Specify true
to enabled remote login.authServiceHostName
$usersync-hostname
Specify the remote Unix host name[a] authServicePort
$port
Listening port of the Unix host where the UX-UserGroup Synchronizer will be installed, the default port is 5151
.[a] Requires installation of the UX-UserGroup Synchronizer.
Note Requires installation of the User and Group Synchronizer Agent on the remote Unix Server.
The following is an example allowing HDP Sandbox users to access HDP Security Administration Web UI:
# ------- UNIX User CONFIG ---------------- # unix_user=xasecure unix_group=xasecure # # ------- UNIX User CONFIG - END ---------------- # # # UNIX authentication service for Policy Manager # # PolicyManager can authenticate using UNIX username/password # The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package. # Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager # # ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished. # #LDAP|ACTIVE_DIRECTORY|UNIX|NONE authentication_method=UNIX remoteLoginEnabled=true authServiceHostName=sandbox authServicePort=5151
Web UI administrators authenticated against an external LDAP (either OpenLDAP or Active Directory service):
Table 2.6. External LDAP Service Authentication Parameters
Parameter Value Description authentication_method
LDAP
Specify LDAP
to allow users to sign in to the HDP Security Administration Web UI using their credentials from an external LDAP service.remoteLoginEnabled
true
Specify true
to enabled remote login.authServiceHostName
$usersync-hostname
Specify the LDAP service host name or IP address.[a] authServicePort
$port
Listening port of the LDAP service, default port is 389
.[a] Requires installation of the UX-UserGroup Synchronizer.
The following is an example of the configuration parameters for OpenLDAP installed on HDP Sandbox:
# ------- UNIX User CONFIG ---------------- # unix_user=xasecure unix_group=xasecure # # ------- UNIX User CONFIG - END ---------------- # # # UNIX authentication service for Policy Manager # # PolicyManager can authenticate using UNIX username/password # The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package. # Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager # # ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished. # #LDAP|ACTIVE_DIRECTORY|UNIX|NONE authentication_method=LDAP remoteLoginEnabled=true authServiceHostName=sandbox authServicePort=389
Save the
install.properties
file.
The following example shows the HDP
Security Administration server
install.properties
for a
system that does not allow remote login of Web UI
administrators:
# # This file provides list of deployment variables for the Policy Manager Web Application # #------------------------- MYSQL CONFIG - BEGIN ---------------------------------- # # The executable path to be used to invoke command-line MYSQL # MYSQL_BIN='mysql' # # Location of mysql client library (please check the location of the jar file) # MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar # # MYSQL password for the MYSQL root user-id # ************************************************************************** # ** If the password is left empty or not-defined here, # ** it will be prompted to enter the password during installation process # ************************************************************************** # db_root_password=hadoop db_host=localhost # # MySQL UserId used for the XASecure schema # db_name=xasecure db_user=xaadmin db_password=hadoop # # MySQL UserId for storing auditlog infromation # # * audit_db can be same as the XASecure schema db # * audit_db must exists in the same ${db_host} as xaserver database ${db_name} # * audit_user must be a different user than db_user (as audit user has access to only audit tables) # audit_db_name=xasecure audit_db_user=xalogger audit_db_password=hadoop #------------------------- MYSQL CONFIG - END ---------------------------------- # # ------- PolicyManager CONFIG ---------------- # policymgr_external_url=http://localhost:6080 policymgr_http_enabled=true # # ------- PolicyManager CONFIG - END --------------- # # # UNIX authentication service for Policy Manager # # PolicyManager can authenticate using UNIX username/password # The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package. # Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into Policy Manager # # ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished. # remoteLoginEnabled=false authServiceHostName= authServicePort= # # ----------------------------------------------------------- # # ###### DO NOT MODIFY ANY VARIABLES BELOW ######################### # # --- These deployment variables are not to be modified unless you understand the full impact of the changes # ################################################### app_home=$PWD/app war_file=${PWD}/war/xa_portal.war TMPFILE=$PWD/.fi_tmp LOGFILE=$PWD/logfile LOGFILES="$LOGFILE" JAVA_BIN='java' JAVA_VERSION_REQUIRED='1.7' JAVA_ORACLE='Java(TM) SE Runtime Environment' db_create_user_file=${PWD}/db/create_dev_user.sql db_core_file=${PWD}/db/xa_core_db.sql db_assert_file=${PWD}/db/reset_asset.sql
After configuring the
install.properties
file,
install the HDP Security
Administration server as
root
:
Log on to the Linux system as root and go to the directory where you extracted the HDP Security Administration installation files:
cd /tmp/xasecure/xasecure-policymgr-$build-version
Run the installation script:
# ./install.sh
Once the install.sh
execution
is complete, the HDP Security
Administration Web UI is accessible.
Using a web browser, go to the HDP
Security Administration application
at
http://
.
If this is the first installation, sign in with the
default account,
$policymgr_host
:6080admin
\admin
.
Caution | |
---|---|
Change the |