Configure Kerberos for Storm

As of Storm 0.10.0-1602, you can configure Storm to use Kerberos authentication on a secure cluster.

Complete the basic storm configurations before you configure Storm to use Kerberos authentication. For details on the basic Storm configuration, see Configure Basic Storm Parameters
When you complete the following steps to configure Kerberos authentication, replace instances of <fqdn>@<realm> and <fqdn> with data that is specific to your environment. These steps must be performed on each node in the Storm cluster.
  1. In the storm.yaml, add the following configurations:
    #UI Authentication 
    ui.filter:"org.apache.hadoop.security.authentication.server.AuthenticationFilter" 
    ui.filter.params:{'type':'simple','user.name':'mapr'} 
    
    #Worker, nimbus, supervisor JVM params. Adds Kerberos support with params from /opt/mapr/conf/mapr.login.conf . Debug mode ON. 
    worker.childopts:  "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"
    supervisor.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"
    nimbus.childopts: "-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.clientconfig=StormZooClient"
    
    #Enables Kerberos authentication 
    storm.thrift.transport:"backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin" 
    java.security.auth.login.config:"/opt/mapr/conf/mapr.login.conf" 
    java.security.krb5.conf:"/etc/krb5.conf"
    
    #Nimbus also will translate the principal into a local user name, so that other services can use this name. To configure this for Kerberos authentication set 
    storm.principal.tolocal:"backtype.storm.security.auth.KerberosPrincipalToLocal"
    
    #We also need to inform the topology who the supervisor daemon and the nimbus daemon are running as, from a ZooKeeper perspective. 
    storm.zookeeper.superACL:"sasl:mapr/<fqdn>@<realm>"
    
    #The preferred authorization plug-in for nimbus is The SimpleACLAuthorizer. To use the SimpleACLAuthorizer, set the following: 
    nimbus.authorizer:"backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"
    
    #To ensure only authorized users can perform impersonation, you should start nimbus with 
    nimbus.admins: 
      -"mapr/<fqdn>@<realm>"    
      -"mapr" 
    nimbus.supervisor.users:     
      -"mapr/<fqdn that runs supervisor>@<realm>"
      -"mapr" 
    nimbus.users:
      -"mapr" 
    storm.auth.simple-acl.admins:   
      -"mapr/<fqdn>@<realm>" 
    storm.auth.simple-acl.users:  
      -"mapr/<fqdn>@<realm>" 
    nimbus.impersonation.authorizer: backtype.storm.security.auth.authorizer.ImpersonationAuthorizer 
    nimbus.impersonation.acl:
      mapr:  
         hosts:     
            [localhost,127.0.0.1, <fqdn>]   
         groups:
            [mapr, <fqdn>]
    Note: When Storm runs on more than one node in the cluster, the storm.auth.simple-acl.admins and storm.auth.simple-acl.users must specify values that are node-specific. For example, if you are configuring these properties on a node that runs the Nimbus service, the node name and users must correspond to the hostname of the Nimbus node and users available on that Nimbus node.
  2. Add the following sections to mapr.login.conf:
    StormServer {      
      com.sun.security.auth.module.Krb5LoginModule required   
      useKeyTab=true   
      keyTab="/opt/mapr/conf/mapr.keytab"   
      storeKey=true   
      useTicketCache=false   
      principal="mapr/<fqdn>@<realm>";
    };
    
    StormClient {     
      com.sun.security.auth.module.Krb5LoginModule required   
      useKeyTab=true   
      keyTab="/opt/mapr/conf/mapr.keytab"   
      storeKey=true   
      useTicketCache=false   
      serviceName="mapr"   
      principal="mapr/<fqdn>@<realm>";
    }; 
    
    StormZooClient{
      com.mapr.security.maprsasl.MaprSecurityLoginModule required
          checkUGI=false
          authMech="MAPR-SECURITY"
          debug=true;
      org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
          refreshKrb5Config=true
          doNotPrompt=true
          useKeyTab=true
          storeKey=true;
      org.apache.hadoop.security.login.GenericOSLoginModule required;
      org.apache.hadoop.security.login.HadoopLoginModule required
          principalPriority=com.mapr.security.MapRPrincipal;
    };
    Note: For nodes in the Storm cluster that run the Supervisor but not Nimbus or the Storm UI service, the StormServer section is not required.
  3. Copy the storm.yaml to the /home/mapr/.storm/ directory on each Nimbus and Supervisor node.
  4. Generate a new kerberos ticket.
    kinit -kt /opt/mapr/conf/mapr.keytab -p mapr/<fqdn>@<realm>
  5. On a secure cluster, login to the cluster with the kerberos ticket.
    
    maprlogin kerberos
    
If you want to login to the Storm UI, login with the following URL:
http://<hostname>:<UI_port>/?user.name=mapr
Note: In the URL above, UI_Port is the ui.port parameter that is configured the storm.yaml.