Security Settings for Ecosystem Components

Lists the security settings for all MapR ecosystem components.

The security settings for the various MapR ecosystem components are as follows:

Table 1. Security Settings for MapR Ecosystem Components
File or Command Description Default Secure Setting Alternate Value or Change Command Notes
Security Settings for Hadoop/Yarn/Oozie/Hue/HttpFs
core-default.xml Defines authentication used for the HTTP web-consoles hadoop.http.authentication.type:org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#
No Information found on MapR Docs hadoop.security.custom.auth.principal.class:com.mapr.security.MapRPrincipal
core-default.xml & core-site.xml LDAP configuration hadoop.security.group.mapping.ldap.search.filter.user:(&(objectClass=user)(sAMAccountName={0})) An additional filter to use when searching for LDAP users. The default filter is usually appropriate for Active Directory installations. If connecting to an LDAP server with a non-AD schema, replace the default filter with (&(objectClass=inetOrgPerson)(uid={0}). {0} is a special string used to denote where the username fits into the filter. If the LDAP server supports posixGroups, Hadoop can enable the feature by setting the value of this property to posixAccount and the value of the hadoop.security.group.mapping.ldap.search.filter.group property to posixGroup.
core-default.xml & core-site.xml No Information found on MapR Docs hadoop.security.authentication:CUSTOM
Java class that handles HTTP auth secret hadoop.http.authentication.signature.secret:com.mapr.security.maprauth.MaprSignatureSecretFactory
core-default.xml & core-site.xml Group authentication cache duration hadoop.security.groups.cache.secs:300
No Information found on MapR Docs hadoop.http.authentication.signer.secret.provider:org.apache.hadoop.security.authentication.util.MapRSignerSecretProvider
No Information found on MapR Docs yarn.external.token.manager:com.mapr.hadoop.yarn.security.MapRTicketManager
core-default.xml & core-site.xml OS security random device file path hadoop.security.random.device.file.path:/dev/urandom
core-default.xml & core-site.xml Key to set if the registry is secure hadoop.registry.secure:false TRUE Turning it on, changes the permissions policy from open access to restrictions on kerberos with the option of a user adding one or more auth key pairs down their own tree.
No Information found on MapR Docs hadoop.log.level.authenticator.class:com.mapr.security.maprauth.MaprAuthenticator
core-default.xml & core-site.xml Indicates if administrator ACLs are required to access instrumentation servlets (JMX, METRICS, CONF, STACKS) hadoop.security.instrumentation.requires.admin:false TRUE
core-default.xml & core-site.xml The keystores factory to use for retrieving certificates hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
core-default.xml & core-site.xml Comma-separated list of crypto codec implementations for AES/CTR/NoPadding hadoop.security.crypto.codec.classes.aes.ctr.nopadding:org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec
core-default.xml & core-site.xml The attribute of the group object that identifies the users that are members of the group. hadoop.security.group.mapping.ldap.search.attr.member:member
core-default.xml & core-site.xml If looking up a single user to group takes longer than the specified number of milliseconds, log a warning message hadoop.security.groups.cache.warn.after.ms:5000
core-default.xml & core-site.xml The attribute applied to the LDAP Search Control properties to set a maximum time limit when searching and wating for a result hadoop.security.group.mapping.ldap.directory.search.timeout:10000 Set to 0 if infinite wait period is desired. Default is 10 seconds. Units in milliseconds.
core-site.xml MapR service account ("mapr") impersonation hadoop.proxyuser.mapr.hosts:*

hadoop.proxyuser.mapr.groups:*

Set by default in v6.1 secure install.
yarn-site.xml Defines the authentication used for the timeline server HTTP endpoint. yarn.timeline-service.http-authentication.type:com.mapr.security.maprauth.MaprDelegationTokenAuthenticationHandler Supported values are: simple / kerberos / #AUTHENTICATION_HANDLER_CLASSNAME#. Defaults to simple.
yarn-default.xml The allowed pattern for UNIX user names enforced by Linux-container-executor when used in nonsecure mode (use case for this is using cgroups). yarn.nodemanager.linux-container-executor.nonsecure-mode.user-pattern:^[_.A-Za-z0-9][-@_.A-Za-z0-9]{0,255}?[$]?$ The default value is taken from /usr/sbin/adduser
core-default.xml & core-site.xml Indicates whether or not to use SSL when connecting to the LDAP server. hadoop.security.group.mapping.ldap.ssl:false TRUE
core-default.xml & core-site.xml An additional filter to use when searching for LDAP groups hadoop.security.group.mapping.ldap.search.filter.group:(objectClass=group) Change this filter when resolving groups against a non-Active Directory installation. See the description of hadoop.security.group.mapping.ldap.search.filter.user to enable posixGroups support.
core-default.xml & core-site.xml This is the configuration controlling the validity of the entries in the cache containing the userId to userName and groupId to groupName used by NativeIO getFstat(). hadoop.security.uid.cache.secs:14400
yarn-default.xml This determines which of the two modes LCE should use on a non-secure cluster. yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users:true FALSE Set this value to true, to launch all containers as the user specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. Set this value to false to run containers as the user who submitted the application.
Disable insecure protocols hadoop.ssl.exclude.insecure.protocols:SSLv3,TLSv1
core-default.xml & core-site.xml Class for user to group mapping (get groups for a given user) for ACL. hadoop.security.group.mapping:org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback The default implementation org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback determines if the Java Native Interface (JNI) is available. If JNI is available the implementation uses the API within Hadoop to resolve a list of groups for a user. If JNI is not available then the shell implementation ShellBasedUnixGroupsMapping, is used. This implementation shells out to the Linux/Unix environment with the bash -c groups command to resolve a list of groups for a user.
No Information found on MapR Docs hadoop.security.custom.rpc.auth.method.class:org.apache.hadoop.security.rpcauth.MaprAuthMethod
core-default.xml & core-site.xml The attribute of the group object that identifies the group name. hadoop.security.group.mapping.ldap.search.attr.group.name:cn The default is usually appropriate for all LDAP systems.
core-default.xml & core-site.xml The Java secure random algorithm. hadoop.security.java.secure.random.algorithm:SHA1PRNG
core-default.xml & core-site.xml Is service-level authorization enabled? hadoop.security.authorization:true False
core-default.xml & core-site.xml Expiration time for entries in the the negative user-to-group mapping caching, in seconds. hadoop.security.groups.negative-cache.secs:30 This parameter is useful when invalid users retry frequently. Set a low value for this expiration, since a transient error in group lookup could temporarily lock out a legitimate user. Set this parameter to zero or a negative value to disable negative user-to-group caching.
yarn-default.xml Linux-container-executor setting yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user:nobody The UNIX user that containers run as when Linux-container-executor is used in nonsecure mode (a use case for this is using cgroups) if the yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set to true.
core-default.xml & core-site.xml Cipher suite for crypto codec. hadoop.security.crypto.cipher.suite:AES/CTR/NoPadding
core-default.xml & core-site.xml The buffer size used by CryptoInputStream and CryptoOutputStream. hadoop.security.crypto.buffer.size:8192
No Information found on MapR Docs hadoop.security.java.security.login.config.jar.path:/mapr.login.conf
core-default.xml & core-site.xml Indicates if anonymous requests are allowed when using simple authentication. hadoop.http.authentication.simple.anonymous.allowed:true FALSE
yarn-default.xml Indicates if anonymous requests are allowed by the timeline server when using simple authentication. yarn.timeline-service.http-authentication.simple.anonymous.allowed:true False
core-default.xml & core-site.xml Indicates how long (in seconds) an authentication token is valid before it has to be renewed. hadoop.http.authentication.token.validity:36000
core-default.xml & core-site.xml ipc client fallback ipc.client.fallback-to-simple-auth-allowed:false True When a client is configured to attempt a secure connection, but attempts to connect to an insecure server, that server may instruct the client to switch to SASL SIMPLE (unsecure) authentication. This setting controls whether or not the client accepts this instruction from the server. When false (the default), the client does not allow the fallback to SIMPLE authentication, and aborts the connection.
No Information found on MapR Docs yarn.mapr.ticket.expiration:604800000
core-default.xml & core-site.xml Protocols supported by the ssl. hadoop.ssl.enabled.protocols:TLSv1
core-default.xml & core-site.xml List of excluded ciphers hadoop.ssl.exclude.cipher.suites:SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
core-default.xml & core-site.xml Indicates whether client certificates are required hadoop.ssl.require.client.cert:false TRUE
core-default.xml & core-site.xml The hostname verifier to provide for HttpsURLConnections. hadoop.ssl.hostname.verifier:DEFAULT Valid values are: DEFAULT, STRICT, STRICT_I6, DEFAULT_AND_LOCALHOST and ALLOW_ALL
core-default.xml & core-site.xml Resource file from which ssl client keystore information are extracted hadoop.ssl.client.conf:ssl-client.xml This file is looked up in the classpath, and is usually present in the Hadoop conf/ directory.
mapred-default.xml Buffer size for reading spills from file when using SSL. mapreduce.shuffle.ssl.file.buffer.size:65536
core-default.xml & core-site.xml The keystores factory to use for retrieving certificates. hadoop.ssl.keystores.factory.class:org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory
core-default.xml & core-site.xml Comma-separated list of crypto codec implementations for AES/CTR/NoPadding. hadoop.security.crypto.codec.classes.aes.ctr.nopadding:org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec,org.apache.hadoop.crypto.JceAesCtrCryptoCodec The first implementation is used, if available. Other implementations are fallbacks.
core-default.xml & core-site.xml Resource file from which ssl server keystore information are extracted. hadoop.ssl.server.conf:ssl-server.xml This file is looked up in the classpath, and is usually present in the Hadoop conf/ directory.
core-default.xml & core-site.xml This configures the HTTP endpoint for Yarn daemons. yarn.http.policy:HTTP_ONLY The following values are supported: - HTTP_ONLY : Service is provided only on http - HTTPS_ONLY : Service is provided only on https
core-default.xml & core-site.xml Indicates whether or not to use SSL when connecting to the LDAP server. hadoop.security.group.mapping.ldap.ssl:false
core-default.xml & core-site.xml Enables or disables SSL connections to S3. fs.s3a.connection.ssl.enabled:true FALSE
mapred-default.xml Indicates whether to use SSL for for the Shuffle HTTP endpoints. mapreduce.shuffle.ssl.enabled:false TRUE
hive-site.xml hive client authenticator manager class name. hive.security.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator
hive-site.xml Enables or disables the Hive client authorization hive.security.authorization.enabled:true False
hive-site.xml The Hive client authorization manager class name. hive.security.authorization.manager:org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory
hive-site.xml List of comma separated Java regexes. hive.security.authorization.sqlstd.confwhitelist:hive\.exec\.pre\.hooks You can modify configurations parameters that match these regexes when you enable SQL standard authorization.
hive-site.xml Authorization DDL task factory implementation hive.security.authorization.task.factory:org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl
hive-site.xml Comma separated list of non-SQL Hive commands that users are authorized to execute hive.security.command.whitelist:set,reset,dfs,add,list,delete,reload,compile
hive-site.xml Authenticator manager class name to be used in the metastore for authentication. hive.security.metastore.authenticator.manager:org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator
hive-site.xml If this is true, metastore authorizer authorizes read actions on database, table hive.security.metastore.authorization.auth.reads:true FALSE
hive-site.xml Names of authorization manager classes (comma separated) to be used in the metastore for authorization. hive.security.metastore.authorization.manager:org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider The user defined authorization class should implement interface org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider. All authorization manager classes have to successfully authorize the metastore API call for the command execution to be allowed.
hive-site.xml If true, the HiveServer2 WebUI is secured with PAM hive.server2.webui.use.pam=true false
hive-site.xml Class for PAM authentication hive.server2.webui.pam.authenticator:org.apache.hive.http.security.PamAuthenticator
hive-site.xml Determines whether the metastore performs authorization checks against the underlying storage for operations such as drop-partition hive.metastore.authorization.storage.check.externaltable.drop:true false Disallow the drop-partition if the user in question does not have permissions to delete the corresponding directory on the storage
hive-site.xml Determines whether the metastore performs authorization checks against the underlying storage for operations such as drop-partition hive.metastore.authorization.storage.checks:false true Disallow the drop-partition if the user in question does not have permissions to delete the corresponding directory on the storage
hive-site.xml Client authentication types. hive.server2.authentication:PAM NONE: no authentication check – plain SASL transport LDAP: LDAP/AD based authentication KERBEROS: Kerberos/GSSAPI authentication CUSTOM: Custom authentication provider (use with property hive.server2.custom.authentication.class) PAM: Pluggable authentication module (added in Hive 0.13.0 with HIVE-6466) NOSASL: Raw transport (added in Hive 0.13.0)
hive-site.xml This property is used in LDAP search queries for finding LDAP group names to which a user belongs. hive.server2.authentication.ldap.groupClassKey:groupOfNames The value of this property is used to construct a LDAP group search query and to indicate the objectClass of a group. Every LDAP group has a certain objectClass. For example: group, groupOfNames, groupOfUniqueNames.
hive-site.xml LDAP attribute name on the group object that contains the list of distinguished names for the user, group, and contact objects that are members of the group. hive.server2.authentication.ldap.groupMembershipKey:member For example: member, uniqueMember, or memberUid. This property is used in LDAP search queries when finding LDAP group names to which a particular user belongs. The value of the LDAP attribute as indicated by this property, should be a full DN for the user or the short username or userid. For example, a group entry for fooGroup containing member : uid=fooUser,ou=Users,dc=domain,dc=com helps determine that fooUser belongs to LDAP group fooGroup. See Group Membership for a detailed example. You can use this property to find the users, if a custom-configured LDAP query returns a group instead of a user (as of Hive 2.1.1). For details, see Support for Groups in Custom LDAP Query.
hive-site.xml This property indicates the prefix to use when building the bindDN for LDAP connection (when using only baseDN). hive.server2.authentication.ldap.guidKey:uid bindDN is <guidKey>=<user/group>,<baseDN>. If the configuration uses userDNPattern and/or groupDNPattern, the guidKey is not required. The guidKey is required when only the baseDN is being used.
hive-site.xml When true, HiveServer2 in HTTP transport mode uses cookie-based authentication mechanism. hive.server2.thrift.http.cookie.auth.enabled:true
hive-site.xml Sasl QOP value; set it to one of the following values to enable higher levels of protection for HiveServer2 communication with clients. hive.server2.thrift.sasl.qop:auth-conf "auth" – authentication only (default) "auth-int" – authentication plus integrity protection "auth-conf" – authentication plus integrity and confidentiality protection Note that setting hadoop.rpc.protection to a higher level than HiveServer2 does not make sense in most situations. HiveServer2 ignores hadoop.rpc.protection in favor of hive.server2.thrift.sasl.qop. This setting is applicable only if HiveServer2 is configured to use Kerberos authentication.
hive-site.xml hive.test.authz.sstd.hs2.mode:false
hive-site.xml Setting this property to true enables HiveServer2 to execute Hive operations as the user making the calls to it. hive.server2.enable.doAs=true FALSE
hive-site.xml Indicates whether metastore should use SSL hive.metastore.use.SSL:false TRUE
hive-site.xml SSL certificate keystore location. hive.server2.keystore.path:/opt/mapr/conf/ssl_keystore
hive-site.xml Set this to true to use SSL encryption in HiveServer2. hive.server2.use.SSL:true false
hive-site.xml SSL certificate keystore location for HiveServer2 WebUI. hive.server2.webui.keystore.path:/opt/mapr/conf/ssl_keystore
hive-site.xml Set this to true to use SSL encryption for HiveServer2 WebUI. hive.server2.webui.use.ssl:true TRUE
hive-site.xml SSL protocols that need to be disabled hive.ssl.protocol.blacklist:SSLv2,SSLv3
oozie-default.xml & oozie-site.xml Authentication used for Oozie HTTP endpoint oozie.authentication.type=simple The supported values are: simple | kerberos | #AUTHENTICATION_HANDLER_CLASSNAME#.
oozie-default.xml & oozie-site.xml Denotes how long (in seconds) an authentication token is valid before it has to be renewed oozie.authentication.token.validity=36000
oozie-default.xml & oozie-site.xml If not set, a random secret is generated at startup time. oozie.authentication.signature.secret= The signature secret for signing the authentication tokens.
oozie-default.xml & oozie-site.xml The domain to use for the HTTP cookie that stores the authentication token. oozie.authentication.cookie.domain= Set the domain appropriately to enable authentication to work correctly across all Hadoop node web-consoles.
oozie-default.xml & oozie-site.xml Indicates whether anonymous requests are allowed. oozie.authentication.simple.anonymous.allowed=true This setting is meaningful only when using simple authentication.
oozie-site.xml Controls whether SSL encryption is enabled oozie.https.enabled:true false
oozie-site.xml Path to a TrustStore file oozie.https.truststore.file:/opt/mapr/conf/ssl_truststore
oozie-site.xml Path to a KeyStore file oozie.https.keystore.file:/opt/mapr/conf/ssl_keystore
oozie-site.xml Password to the KeyStore oozie.https.keystore.pass:<password>
oozie-client-env.sh Configuration for Oozie clients to use SSL export OOZIE_CLIENT_OPTS="${OOZIE_CLIENT_OPTS} -Djavax.net.ssl.trustStore=/opt/mapr/conf/ssl_truststore"
oozie-site.xml User Impersonation for Oozie oozie.service.ProxyUserService.proxyuser.mapr.hosts:* oozie.service.ProxyUserService.proxyuser.mapr.groups:*
httpfs-site.xml PAM Authentication for HttpFS httpfs.hadoop.authentication.type:multiauth httpfs.authentication.type:multiauth
httpfs-site.xml User Impersonation for HttpFS httpfs.proxyuser.mapr.hosts:* httpfs.proxyuser.mapr.groups:*
Hue / Security Configurations
hue.ini Configure HTTPS for Hue UI [desktop] ssl_certificate=${ssl_certificate} ssl_private_key=${ssl_private_key} ssl_password=${ssl_password} true Value is picked from the following files:
cat /opt/mapr/hue/hue-4.2.0/desktop/conf/.isSecure true
 
cat /opt/mapr/hue/hue-4.2.0/bin/env.d/20secure 

#!/bin/sh HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure" 
if [ -e "$HUE_SECURE_FILE" ]
                && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; then export
                mechanism=${mechanism:-"MAPR-SECURITY"} export
                security_enabled=${security_enabled:-"true"} export
                ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"} export
                ssl_validate=${ssl_validate:-"true"} export
                ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_password=${ssl_password:-"mapr123"} 
fi             
hue.ini Path to PEM truststore, and option to enable/disable certificate verification for SSL-encrypted connections to other services (RM, HS, NM, Spark HS, Oozie, Livy, Sqoop2, HBase, Hive, Impala) [desktop] ssl_cacerts=${ssl_cacerts} ssl_validate=${ssl_validate} true Values are picked in the same way, as values for the previous parameter. Also, the Installer overrides this property with value false by creating the following file:
cat /opt/mapr/hue/hue-4.2.0/bin/env.d/30installer 
# Do not edit this file. It was generated automatically by MapR Installer. 
# Disable cetificate verification, as Installer allows to use node IPs instead of proper hostnames: 
export ssl_cacerts=""
export ssl_validate="false"
Hue / Outbound Security Configurations
hue.ini Configure Hue to use MapR-SASL for YARN (RM, NM, HS, Spark HS)
[hadoop] [[yarn_clusters]] [[[default]]] ... 
# Change this if your YARN cluster is secured 
# security_enabled=${security_enabled} 
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY 
# mechanism=${mechanism} 
# In secure mode(HTTPS), if SSL certificates from Resource Manager's 
# Rest Server have to be verified against certificate authority 
# ssl_cert_ca_verify=False
true Value is picked from the following files:
cat /opt/mapr/hue/hue-4.2.0/desktop/conf/.isSecure true 

cat /opt/mapr/hue/hue-4.2.0/bin/env.d/20secure 

#!/bin/sh
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure" 
if [ -e "$HUE_SECURE_FILE" ] && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; 
then export
                mechanism=${mechanism:-"MAPR-SECURITY"} export
                security_enabled=${security_enabled:-"true"} export
                ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"} export
                ssl_validate=${ssl_validate:-"true"} export
                ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_password=${ssl_password:-"mapr123"} 
fi
hue.ini Configure Hue to use MapR-SASL for HttpFS
[hadoop] [[hdfs_clusters]] [[[default]]] ... 
# Change this if your HDFS cluster is secured 
security_enabled=${security_enabled} 
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY 
mechanism=${mechanism} 
# Enable mutual SSL authentication 
# mutual_ssl_auth=False 
# Certificate for SSL connection
# ssl_cert=keys/cert.pem 
# Private key for SSL connection# ssl_key=keys/hue_private_keystore.pem 
# In secure mode (HTTPS), if SSL certificates from YARN Rest APIs # have to be verified against certificate authority#
# ssl_cert_ca_verify=True
true Value is picked from the following files:
cat /opt/mapr/hue/hue-4.2.0/desktop/conf/.isSecure true 

cat /opt/mapr/hue/hue-4.2.0/bin/env.d/20secure 
#!/bin/sh
HUE_SECURE_FILE="${HUE_HOME}/desktop/conf/.isSecure" 
if [ -e "$HUE_SECURE_FILE" ]
                && [ $(cat "$HUE_SECURE_FILE") = "true" ] ; then export
                mechanism=${mechanism:-"MAPR-SECURITY"} export
                security_enabled=${security_enabled:-"true"} export
                ssl_cacerts=${ssl_cacerts:-"${MAPR_HOME}/conf/ssl_truststore.pem"} export
                ssl_validate=${ssl_validate:-"true"} export
                ssl_certificate=${ssl_certificate:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_private_key=${ssl_private_key:-"${MAPR_HOME}/conf/ssl_keystore.pem"} export
                ssl_password=${ssl_password:-"mapr123"} 
fi
hue.ini Configure Hue to use MapR-SASL for Oozie
[liboozie] ... 
# Requires FQDN in oozie_url if enabled
security_enabled=${security_enabled} 
# Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY 
mechanism=${mechanism}
true same as above
hue.ini Configure Hue to use MapR-SASL for Livy
[spark] ... 
# Whether Livy requires client to perform Kerberos authentication.
security_enabled=${security_enabled} 
# Security mechanism of authentication: none/GSSAPI/MAPR-SECURITY 
mechanism=${mechanism}
TRUE same as above
hue.ini Configure Hue to use MapR-SASL for Hive
[beeswax] ... 
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
TRUE same as above
hue.ini Configure Hue to use MapR-SASL for HBase Thrift (MapR-DB)
[hbase] ... 
# Security mechanism of authentication none/GSSAPI/MAPR-SECURITY
mechanism=${mechanism}
true same as above
hue.ini Configure Hue to use MapR-SASL for Drill [librdbms] [[databases]] ... [[[drill]]] ... # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY. mechanism=${mechanism} TRUE same as above
hue.ini PAM/LDAP authentication between Hue and Hive [desktop] ... # Default LDAP/PAM/.. username and password of the Hue user used for authentication with other services. # Inactive if password is empty. # e.g. LDAP pass-through authentication for HiveServer2 or Impala. Apps can override them individually. auth_username=${MAPR_USER} auth_password=<user_password> ... [beeswax] ... # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY mechanism=none TRUE
hue.ini PAM/LDAP authentication between Hue and Drill [librdbms] [[databases]] ... [[[drill]]] ... # Security mechanism of authentication none/GSSAPI/MAPR-SECURITY. mechanism=none # Username to authenticate with when connecting to the database. # Used with plain authentication (mechanism set to "none"). user=<username> # Password matching the username to authenticate with when # connecting to the database. # Used with plain authentication (mechanism set to "none"). password=<password> # Execute this script to produce the database password. # This will be used when password is required and `password` is not set. ## password_script= TRUE
User impersonation between Hue and YARN services (RM, NM, HS) + Spark HS Enabled by default FALSE Hue will always send requests to RM, NM, HS and SparkHS with doAs=<impersonation_target> parameter
User impersonation between Hue and HttpFS Enabled by default FALSE Hue will always send requests to HttpFS with doas=<impersonation_target> parameter
User impersonation between Hue and Oozie Enabled by default FALSE Hue will always send requests to Oozie with doAs=<impersonation_target> parameter
User impersonation between Hue and Livy Enabled by default FALSE Hue will always send requests to Livy with proxyUser=<impersonation_target> option
User impersonation between Hue and Hive FALSE Hue detects impersonation settings of Hive from hive-site.xml automatically
User impersonation between Hue and HBase Thrift (MapR-DB) FALSE Hue detects impersonation settings of Hive from hbase-site.xml automatically
hue.ini User impersonation between Hue and Drill [librdbms] [[databases]] ... [[[drill]]] ... # Available options: # "impersonation" to enable or disable outbound impersonation. # "principal" of Drill service. Used when Kerberos authentication is enabled. options='{"impersonation": true}' TRUE
hue.ini Authenticating Hue Users with LDAP Credentials
hue.ini Determines which authentication method to use: search and bind, or direct bind. search_bind_authentication When set to true, Hue performs an LDAP search using bind_dn and bind_passwordas provided in hue.ini. The search can be further limited by the search filter user_filter. When set to false, Hue performs a direct bind to LDAP using the credentials provided from one of these sources: the UPN, formed by concatenating <shortname> (the user name provided on the Hue login page) and nt_domain (if nt_domain is specified) the ldap_username_pattern (if nt_domain is not specified)
hue.ini The NT domain to connect to. This parameter is only used with Active Directory. nt_domain Used with the direct bind method of authentication. If nt_domain is specified, then ldap_username_pattern is ignored.
hue.ini Used to connect to directory services other than Active Directory. ldap_username_pattern Used with the direct bind method of authentication. Usually takes the form "cn=<username>,dc=example,dc=com"
hue.ini The backend to use for authenticating users. backend Needs to be set to desktop.auth.backend.LdapBackend for Hue authentication.
Security Settings for Drill/Spark/Livy/Tez
Drill Security Configurations
drill-override.conf Determines if encryption on the server is enabled for negotiating privacy with the Drill client. drill.exec.security.user.encryption.sasl.enabled=false True
drill-override.conf Determines if the server is enabled for negotiating privacy with another Drillbit. drill.exec.security.bit.encryption.ssl.enabled=true FALSE
drill-override.conf TLS/SSL versions allowed drill.exec.impersonation.ssl.protocol: TLSv1.2 Other versions possible
drill-override.conf Format of the keystore file javax.net.ssl.keyStoreType: JKS jks, jceks, pkcs12
drill-override.conf Location of the Java keystore file drill.exec.ssl.keyStorePath ssl.server.keystore.location: /opt/mapr/conf/ssl_keystore Using it from MapR Hadoop properties, leveraging it from drill-distrib.conf property drill.exec.ssl.useHadoopConfig: true
drill-override.conf Password to access the private key from the keystore file. drill.exec.ssl.keyStorePassword ssl.server.keystore.password Using it from MapR Hadoop properties, leveraging it from drill-distrib.conf property drill.exec.ssl.useHadoopConfig: true
drill-override.conf Password to access the private key from the keystore file. drill.exec.ssl.keyPassword ssl.server.keystore.password Using it from MapR Hadoop properties, leverageing it from drill-distrib.conf property drill.exec.ssl.useHadoopConfig: true
drill-override.conf Format of the truststore file drill.exec.ssl.trustStoreType: JKS jks, jceks, pkcs12
drill-override.conf Location of the Java keystore file containing the collection of CA certificates trusted by the Drill client. drill.exec.ssl.trustStorePath ssl.server.truststore.location: /opt/mapr/conf/ssl_truststore
drill-override.conf Password to access the private key from the keystore file specified as the truststore. drill.exec.ssl.trustStorePassword ssl.server.truststore.password
drill-override.conf Changes the underlying implementation to the chosen value. drill.exec.ssl.provider: JDK OPENSSL/JDK
drill-override.conf Use mapr ssl trust and key store drill.exec.ssl.useHadoopConfig TRUE
drill-distrib.conf Drill Web UI HTTPS protocol for encryption drill.exec: { http.ssl_enabled: true, ssl.useHadoopConfig: true } Default from Drill 1.13
drill-distrib.conf Zookeeper znode ACL for Drill cluster info and query info zk.apply_secure_acl: true FALSE Set by default on MapR Secure cluster with installer in drill-distrib.conf drill.exec.zk.apply_secure_acl: true
drill-distrib.conf Drill user impersonation, needed for MapR-DB to work properly with CF access drill.exec.impersonation.enabled: true FALSE Set by default on MapR Secure cluster with installer in drill-distrib.conf drill.exec.impersonation.enabled: true , also see Impersonation inbound policies for information on setting which users can impersonate others
drill-override.conf Drill user impersonation, maximum number of hops - when one user creates a view on data and shares with other, how many hops are allowed Different numeric value Set by default on MapR Secure cluster with installer in drill-distrib.conf drill.exec.impersonation.max_chained_user_hops: 3
drill-override.conf Authentication mechanisms KERBEROS Set by default on MapR Secure cluster with installer in drill-distrib.conf drill.exec.security.auth.mechanisms: ["MAPRSASL", "PLAIN"]
drill-override.conf Enduser encryption mechanism Can set drill.exec.security.user.encryption.ssl.enabled: true Set by default on MapR Secure cluster with installer in drill-distrib.conf drill.exec.security.user.encryption.sasl.enabled: true to use ssl drill.exec.security.user.encryption.ssl.enabled: true . Note to use PLAIN (user/pass) authentication SASL encryption can not be set to true. Have to set SSL encryption to use PLAIN authentication, can also use MapR tickets (SASL) with SSL encryption, but only with SSL encryption for both.
Spark Security Configurations
spark-defaults.conf No Information found on MapR Docs spark.ssl.fs.enabled true https://spark.apache.org/docs/2.3.1/security.html
spark-defaults.conf SSL Keystore Password spark.ssl.keyPassword <ssl-keystore-password>
spark-defaults.conf · spark.ssl.keyStore /opt/mapr/conf/ssl_keystore
spark-defaults.conf · spark.ssl.keyStorePassword <ssl-keystore-password>
spark-defaults.conf · spark.ssl.trustStore /opt/mapr/conf/ssl_truststore
spark-defaults.conf · spark.ssl.trustStorePassword <ssl-keystore-password>
spark-defaults.conf · spark.ssl.protocol TLSv1.2
spark-defaults.conf Configure encryption for the Spark HTTP file and broadcast servers: spark.ssl.enabledAlgorithms TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
Livy Security Configurations
livy.conf MapR-SASL authentication livy.server.auth.type = multiauth TRUE
livy.conf User impersonation with Livy livy.impersonation.enabled = true livy.superusers = <MAPR_USER> TRUE
livy.conf HTTPS livy.keystore livy.keystore.password livy.key-password TRUE Values automatically filled on runtime using com.mapr.web.security.WebSecurityManager
Tez Security Configuration
/opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/server.xml SSL Config for Tez <Connector port="9444" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keyAlias="edl-dev-r01-tezui" keystoreFile="/opt/mapr/tez/tez-0.8/tomcat/apache-tomcat-9.0.1/conf/bdx1xxx0125.xxxxx.com.jks" keystorePass="xxxxxxxxxx" keystoreType="JKS" clientAuth="false" sslProtocol="TLS" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="9444" /> Tez UI redirectPort value changed to 9444 (default value 8443 conflicts with MCS)
Security Settings for Kibana and Grafana
Kibana Security Configuration
/opt/mapr/elasticsearch/elasticsearch-5.4.1/usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml Kibana and ElasticSearch login account and password file admin:hash: <$2a$12$6ASxMQEBKYPyGUc10RyleOhz3c8RrvPGb7oqLC9xGGwPxJFwOLJtq> https://mapr.com/docs/home/AdministratorGuide/Changing_Password_for_ES_Kibana.html
/opt/mapr/conf/ssl_truststore*

/opt/mapr/conf/ssl_keystore*

SSL Keys Created at install, should rarely change, used by all web and REST HTTPS interfaces. Add site specific certificates with keytool utiliity
Grafana Security Configuration
/opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini cert_file /opt/mapr/grafana/grafana-4.6.1/etc/grafana/cert.pem
/opt/mapr/grafana/grafana-version/etc/grafana/grafana.ini cert_key /opt/mapr/grafana/grafana-4.6.1/etc/grafana/key.pem