MapR 5.0 Documentation : Kerberos Authentication for HttpFS

Complete the following steps to enable Kerberos security on nodes where you run the httpFS service:

1. Set up a Kerberos Principal and keytab File

Each node running the httpFS service must have a keytab file (/opt/mapr/conf/mapr.keytab) and these two principals:

  • HTTP/<fully.qualified.domain.name>

  • mapr/<fully.qualified.domain.name>

For complete instructions on generating a Kerberos principal and keytab file, see Configuring Kerberos User Authentication.

To check whether the keytab already exists, and if it contains the two necessary principals, run the klist command with the -k (keytab keys), -e (encryption type) and -t (timestamp) options.

$ klist -ket /opt/mapr/conf/mapr.keytab

The output from this command displays the following information:

  • KVNO (key version number)

  • Timestamp (the time the key was generated)

  • Principal names

  • Encryption types

If the keytab file does not exist, or does not contain both principals, generate them by following these steps.

  1. Generate a Kerberos principal for the mapr user. The principal is of the form mapr/<fully.qualified.domain.name>@<your-realm>.com, where <fully.qualified.domain.name> is unique for each httpFS node. 
    In the following example, perfnode153.perf.lab@dev-maprtech.com is used for the <fully.qualified.domain.name>@<your-realm>.com.

    $ kadmin
    kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech.com
  2. Generate a Kerberos principal for HTTP/<fully.qualified.domain.name>. This is required for Kerberos authentication of the httpFS server using HTTP SPNEGO. 

    $ kadmin
    kadmin: addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech.com
  3. If the current node does not already have a keytab file created for another service, create one and name it mapr.keytab.

    kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab

    Note that each node references the same keytab file (usually located at /opt/mapr/conf/mapr.keytab), and each keytab file can have multiple principals.

  4. Change the owner of the keytab file from the root user (the default) to the mapr user.

    $ chown mapr:mapr /opt/mapr/conf/mapr.keytab
  5. Set read-only permissions on the mapr.keytab file.

    $ chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab

2. Verify Credentials in the keytab File

To test that the credentials in the mapr.keytab file work, run the klist command with the -k (keytab keys), -e (encryption type) and -t (timestamp) options.

$ klist -ket /opt/mapr/conf/mapr.keytab

Verify that the output lists only one key version number (KVNO) for each principal name. If you see the same principal listed more than once with a different key version number, this could indicate a problem. The latest version number is used, which means you might not be able to log in to the node and authenticate with your user credentials. 

Sample output for a node that has the httpFS and CLDB services installed is shown below.

Keytab name: FILE:/opt/mapr/conf/mapr.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

  2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96)

  2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (arcfour-hmac)

  2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1)

  2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 

  2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96)

  2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (arcfour-hmac)

  2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1)

  2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 

  6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (aes256-cts-hmac-sha1-96)

  6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (arcfour-hmac)

  6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (des3-cbc-sha1)

  6 07/18/14 18:50:57 mapr/my.cluster.com@dev-maprtech (des-cbc-crc)

In the example, the following principals are listed for the node perfnode153.perf.lab:

  • mapr/perfnode153.perf.lab@dev-maprtech (for authenticating to the httpFS service)

  • HTTP/perfnode153.perf.lab@dev-maprtech (for communicating securely over HTTP)

  • mapr/my.cluster.com (for authenticating to the CLDB service)

3. Verify that context.xml.jpamLogin Exists

 Verify that the following file exists: /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin.
This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure Kerberos for HttpFS, rename the file back to context.xml.jpamLogin.

mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin 

4. Modify the httpfs-site.xml File

MapR provides a Kerberos-ready version of the httpfs-site.xml file called httpfs-site.xml.kerberos. This file resides in /opt/mapr/httpfs/httpfs-1.0/etc/hadoop. You must edit this file and specify the kerberos principal name for the nodes where you are running httpFS, restart the httpFS server, and then you can test the set-up. Each step is explained here.

To set up the httpfs-site.xml file for each node running the httpFS service, follow these steps:

  1. Assign a new name to the existing httpfs-site.xml file (to preserve the original version when the file gets overwritten in step 2).

    cp /opt/mapr/httpfs/httpfs-1.0/etc/hadoop httpfs-site.xml httpfs-site.xml.original
  2. Copy the kerberos version (httpfs-site.xml.kerberos) to the existing httpfs-site.xml file.

    cp /opt/mapr/httpfs/httpfs-1.0/etc/hadoop httpfs-site.xml.kerberos httpfs-site.xml
  3. Edit the httpfs-site.xml file and insert the principal name as shown:

    <property>
      <name>
        httpfs.authentication.kerberos.principal
      </name>
      <value>
        mapr/perfnode153.perf.lab@mapr.com
      </value>
    </property>

    Substitute your fully qualified domain name and your realm for perfnode153.perf.lab@dev-maprtech.com.

  4. Restart the httpFS server so the changes will take effect.

    sudo -u mapr /opt/mapr/httpfs/httpfs-1.0/sbin/httpfs.sh stop
    sudo -u mapr /opt/mapr/httpfs/httpfs-1.0/sbin/httpfs.sh start
  5. Test that security is in place by entering the following command to create a file in MapR-FS. The command will fail if security is not set up correctly.

    curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt -i -X PUT
    "http://perfnode153.perf.lab:14000/webhdfs/v1/user/mapr/some_file?op=MKDIRS"

Configure the HTTP Header Size (optional)

The maxHttpHeaderSize parameter defines the maximum size of the request and response HTTP header, specified in bytes. If it is not specified, this parameter defaults to 8192 (8KB).

When Kerberos security is enabled, you may need to increase this value in the server.xml file:

/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml

 For example:

<Connector port="${httpfs.http.port}" maxHttpHeaderSize="32000" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>

If you do not increase this value, you may encounter errors of the following form:

HTTP/1.1 400 Bad Request

After making this configuration change, restart the httpFS server.