MapR 5.0 Documentation : Maximum Use of Kerberos Scenario

To make maximum use of Kerberos in your secured MapR installation, set the security options indicated in this section.

These instructions are streamlined to allow you to quickly implement security in a MapR cluster, by using Kerberos wherever it is supported. For instructions on configuring a custom security implementation, covering the full range of options that are available, see Configuring MapR Security.

The flowchart below provides an overview of the tasks you will complete, based on the combination of components you are using. ("A" connectors indicate continuation of flow from first to second.)

Set Up Security for MapR Core Components

Required for all MapR Installations. 

Impersonation is enabled for MapR components that run services as the mapr superuser when you enable Zookeeper and Warden components.

MapR ticket authentication for Zookeeper is enabled automatically when you enable wire-level security for the MapR cluster.

Set Up Security for Flume

Skip this section if you are not using Flume.

Set Up Security for HBase

Skip this section if you are using only MapR-DB.

Set Up Security for the HBase REST Gateway

Do not skip this section if you are using only MapR-DB - it applies to both MapR-DB and HBase.

Set Up Security for the HBase Thrift Gateway

Do not skip this section if you are using only MapR-DB - it applies to both MapR-DB and HBase.

Set Up Security for Hive

Skip this section if you are not using Hive.

To use Hive with Impala, you must configure Hive to use MapR-SASL for authentication.

To use Hive without Impala, perform these tasks:

To use Hive with Impala, perform these tasks:

Perform these tasks, regardless of Impala usage:

Clients of HiveServer2 authenticate with the same authentication method that is configured for HiveServer2. Clients of HiveServer 2 include ODBC, JBDC, and Beeline.

Set Up Security for Drill

Skip this section if you are not using Drill.

Inbound authentication for Drill, using Pluggable Authentication Modules (PAM) is provided when you configure PAM.

Outbound authentication for Drill, using MapR tickets, is enabled when you enable wire-level security for the MapR cluster.

Set Up Security for HttpFS

Skip this section if you are not using HttpFS.

Set Up Security for Hue

Skip this section if you are not using Hue.

Set Up Security for Impala

Skip this section if you are not using Impala.

Use of Kerberos authentication for Impala with a secured MapR cluster is not currently supported.

Set Up Security for Oozie

Skip this section if you are not using Oozie.

Inbound and outbound authentication for Oozie, using Kerberos, is enabled when you configure Kerberos user authentication.

Set Up Security for Sqoop 2

Skip this section if you are not using Sqoop 2.

Set Up Security for Spark

No additional setup is required after you install and configure Spark with YARN.

If you start it from MapReduce v. 2 (YARN), Spark automatically uses a MapR ticket for outbound authentication and impersonation is enabled (Spark workers run as submitting user).

Spark cannot be secured with MapReduce v. 1.

Spark cannot be secured with the HBase Thrift Gateway and MapReduce v. 2 (YARN).

Libraries - Security Determined by User

Security for the following libraries is determined entirely by the security of the user:

  • Mahout
  • Pig
  • Sqoop 1.4.x