Configure DLM proxying for TLS wire-encrypted clusters
If you are using TLS (formerly SSL) wire encryption, you must configure DLM so that service requests are proxied through a Knox Gateway. This limits access to cluster services, providing a more secure environment. All cluster services such as Hive, Ambari, Ranger, etc. are accessed through a Knox proxy by DPS Platform and DLM Engine.
- You must perform this task on all the cluster nodes that have wire encryption enabled.
- If proxying is used, it must be enabled on both clusters in a DLM replication
By default, proxying with Knox is disabled in DLM.
- When proxying is enabled, you cannot pair a cluster running DLM Engine version 1.0 with a cluster running a higher version of the engine.
- TLS must be configured for Knox before proxying will work with DLM.
- To perform this task, you must have root user privileges on the DLM host and on all nodes that have Knox enabled.
- You must have created the /etc/knox/conf/topologies/dp-proxy.xml file during DPS configuration.
In a terminal, navigate to the Knox topologies directory.
Log in as root and create a beacon-preauth.xml file.
vi beacon-preauth.xmlExample beacon-preauth.xml topology file:
You can copy and paste this sample content into your file and modify as needed.
<topology> <gateway> <provider> <role>federation</role> <name>HeaderPreAuth</name> <enabled>true</enabled> <param> <name> preauth.custom.header </name> <value> BEACON_USER </value> </param> </provider> <provider> <role>identity-assertion</role> <name>HadoopGroupProvider</name> <enabled>true</enabled> </provider> <!-- currently validating this acl for authorization --> <provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param> <name>knoxtoken.acl</name> <value>beacon;*;*</value> </param> </provider> </gateway> <service> <role>KNOXTOKEN</role> <param> <name>knox.token.ttl</name> <value>120000</value> </param> <param> <name>knox.token.client.cert.required</name> <value>true</value> </param> <param> <name>knox.token.allowed.principals</name> <value><semicolon separated list of beacon dn names></value> </param> <param> <name>knox.token.client.data</name> <value>cookie.name=hadoop-jwt</value> </param> </service> </topology>The DN to be configured in
knox.token.allowed.principalsis the DN in the TLS certificate of each beacon host.Example DN: CN=beacon.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA, C=US
Change ownership of the beacon-preauth.xml file to Knox.
chown knox:hadoop beacon-preauth.xml
Open the DPS proxy topology file.
The dp-proxy.xml file was created during installation of the DPS Instance.
Ensure the following service definitions are in the file and configured with the
correct FQDN host names.
ImportantAll DLM Engine servers that are registered with DPS must be included in this file. As new wire-encrypted clusters are registered, they must be added to this file manually.
<service> <role>BEACON</role> <url>https://<dlm_engine_host>:25443</url> </service>
<service> <role>HIVE</role> <url>https://<hiveserver_host>:10001/cliservice</url> </service>TipYou can get the HiveServer host from the default.xml file in the topology directory.
Create the truststore password entry using knox cli:
/usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-truststore-password --value <password>The default JRE cacerts password is “changeit” .
- Repeat this task on all cluster nodes that have Knox Gateway enabled.