Configure SSL for HttpFS

To configure SSL security for HttpFS, complete the following steps on a secure cluster:

  1. Rename the existing server.xml file (/opt/mapr/hadoop/httpfs/tomcat/conf/server.xml.https) to server.xml.orig, to preserve the original version.
    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.orig
  2. Replace server.xml with server.xml.https.
    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.https /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
  3. Verify that the following file exists: /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin

    This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure SSL for HttpFS, rename the file back to context.xml.jpamLogin.

    mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin 
  4. To enable certificate-based authentication, perform the following steps:
    1. In web.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/web.xml), un-comment the following section:
      <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>sample</role-name>
      </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
       
      <security-role>
        <role-name>sample</role-name>
      </security-role>
       
      <login-config>
        <auth-method>CLIENT-CERT</auth-method>
      </login-config>
    2. Verify that tomcat-users.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/tomcat-users.xml) contains the roles and users in the certificates.
      <tomcat-users>
          <role rolename="sample"/>
          <user name="CN=<hostname>" password="null" roles="sample" />
      </tomcat-users>
      Note: The name value should include information from your certificate. For example:
      <tomcat-users>
        		<role rolename="sample"/>
        		<user name="CN=www.mapr.com, OU=mapr, O=mapr, L=San Jose, ST=San Jose, C=CA" password="null" roles="sample" />
      </tomcat-users>
      You can run the following command to view the contents of the certificate file:
      openssl x509 -text -in /opt/mapr/hue/hue-<version>/cert.pem 
  5. Restart the HttpFS server.
    maprcli node services -name httpfs -action restart -nodes <space delimited list of nodes>
  6. Run one of the following curl commands to check that https is enabled. These commands fetch the file some_file.txt from MapR-FS under /user/mapr and attempts to open it securely over https.
    • Verify that HTTPS is enabled

      curl -k "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"
    • If you also configure Hue to use SSL encryption with certificate-based authentication for communication with HttpFS , run the following command:

      Verify that HTTPS is enabled with certificate-based authentication

      curl --cert /opt/mapr/hue/hue-<version>/cert.pem --key /opt/mapr/hue/hue-<version>/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"