DLM Installation and Upgrade
Also available as:
PDF

Configure DLM proxying for TLS wire-encrypted clusters

If you are using TLS (formerly SSL) wire encryption, you must configure DLM so that service requests are proxied through a Knox Gateway. This limits access to cluster services, providing a more secure environment. All cluster services such as Hive, Ambari, Ranger, Atlas, etc. are accessed through a Knox proxy by DPS Platform and DLM Engine.

To use wire encryption with DLM, you must configure TLS on each cluster running DLM Engine so that the engine can authenticate and communicate with Knox across all paired clusters.
  • You must perform this task on all the cluster nodes that have wire encryption enabled.
  • If proxying is used, it must be enabled on both clusters in a DLM replication pair.

    By default, proxying with Knox is disabled in DLM.

  • When proxying is enabled, you cannot pair a cluster running DLM Engine version 1.0 with a cluster running a higher version of the engine.
  • TLS must be configured for Knox before proxying will work with DLM.
  • To perform this task, you must have root user privileges on the DLM host and on all nodes that have Knox enabled.
  • You must have created the /etc/knox/conf/topologies/dp-proxy.xml file during DPS configuration.
  1. In a terminal, navigate to the Knox topologies directory.
    cd /etc/knox/conf/topologies
  2. Log in as root and create a beacon-preauth.xml file.
    vi beacon-preauth.xml
    Example beacon-preauth.xml topology file:

    You can copy and paste this sample content into your file and modify as needed.

    <topology>
        <gateway>
             <provider>
                <role>federation</role>
                <name>HeaderPreAuth</name>
                <enabled>true</enabled>
                <param>
                    <name>
                        preauth.custom.header
                    </name>
                    <value>
                        BEACON_USER
                    </value>
                </param>
            </provider>
            <provider>
              <role>identity-assertion</role>
              <name>HadoopGroupProvider</name>
              <enabled>true</enabled>
           </provider>
            <!-- currently validating this acl for authorization -->
             <provider>
                 <role>authorization</role>
                 <name>AclsAuthz</name>
                 <enabled>true</enabled>
                 <param>
                       <name>knoxtoken.acl</name>
                       <value>beacon;*;*</value>
                </param>
                </provider>
        </gateway>
        <service>
            <role>KNOXTOKEN</role>
            <param>
                <name>knox.token.ttl</name>
                <value>120000</value>
            </param>
            <param>
               <name>knox.token.client.cert.required</name>
               <value>true</value>
            </param>
            <param>
               <name>knox.token.allowed.principals</name>
               <value><semicolon separated list of beacon dn names></value>
            </param>
            <param>
                <name>knox.token.client.data</name>
                <value>cookie.name=hadoop-jwt</value>
            </param>
        </service>
    </topology>
    
    
    The DN to be configured in knox.token.allowed.principals is the DN in the TLS certificate of each beacon host.
    Example DN: CN=beacon.host.com, OU=Eng, O=ABC Corp, L=Santa Clara, ST=CA, C=US
  3. Change ownership of the beacon-preauth.xml file to Knox.
    chown knox:hadoop beacon-preauth.xml
  4. Open the DPS proxy topology file.
    The dp-proxy.xml file was created during installation of the DPS Instance.
    vi dp-proxy.xml
  5. Ensure the following service definitions are in the file and configured with the correct FQDN host names.
    Important
    Important
    All DLM Engine servers that are registered with DPS must be included in this file. As new wire-encrypted clusters are registered, they must be added to this file manually.
      <service>
       <role>BEACON</role>
       <url>https://<dlm_engine_host>:25443</url>
      </service>
      <service>
       <role>HIVE</role>
       <url>https://<hiveserver_host>:10001/cliservice</url>
      </service>
    Tip
    Tip
    You can get the HiveServer host from the default.xml file in the topology directory.
  6. Create the truststore password entry using knox cli:
    /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-truststore-password --value <password>The default JRE cacerts password is “changeit” .
  7. Repeat this task on all cluster nodes that have Knox Gateway enabled.