MapR 5.0 Documentation : SSL Security for HttpFS

You can configure SSL (HTTPS) for HttpFS.  As of HTTPFS 1.0-1504, you can also configure certificate-based authentication for HttpFS.

To configure SSL security for HttpFS, complete the following steps on a secure cluster:

  1. Create the ssl_keystore and ssl_truststore by running the configure.sh -secure -genkeys command on the first CLDB node in your cluster. Use the -Z and -C options to specify ZooKeeper and CLDB nodes.
     

  2. Rename the existing server.xml file (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml) to server.xml.orig, to preserve the original version.

    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml 
    /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.orig
  3. Replace the contents of server.xml with the contents of server.xml.https.

    sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.https /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
  4. Verify that the following file exists: /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin
    This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure SSL for HttpFS, rename the file back to context.xml.jpamLogin.

    mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin 
  5. To enable SSL without certificate-based authentication, set the clientAuth attribute to "false" in server.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml).
    For example:  

    <Connector port="${httpfs.http.port}" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="/opt/mapr/conf/ssl_keystore"
    keystorePass="mapr123"
    truststoreFile="/opt/mapr/conf/ssl_truststore"
    truststorePass="mapr123"/>
  6. To enable certificate-based authentication, perform the following steps:

    1. Verify that the clientAuth attribute is set to "true" in server.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml).

      For example:  

      <Connector port="${httpfs.http.port}" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="true" sslProtocol="TLS"
      keystoreFile="/opt/mapr/conf/ssl_keystore"
      keystorePass="mapr123"
      truststoreFile="/opt/mapr/conf/ssl_truststore"
      truststorePass="mapr123"/>
    2. In web.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/web.xml), un-comment the following section: 

      <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>sample</role-name>
      </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      
      <security-role>
        <role-name>sample</role-name>
      </security-role>
      
      <login-config>
        <auth-method>CLIENT-CERT</auth-method>
      </login-config>
    3. Verify that tomcat-users.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/tomcat-users.xml) contains the roles and users in the certificates.

      <tomcat-users> 
          <role rolename="sample"/> 
          <user name="CN=<hostname>" password="null" roles="sample" /> 
      </tomcat-users>

      The name value should include information from your certificate.
       For example:

          <tomcat-users>
        		<role rolename="sample"/>
        		<user name="CN=www.mapr.com, OU=mapr, O=mapr, L=San Jose, ST=San Jose, C=CA" password="null" roles="sample" />
      	</tomcat-users>  
      

      You can run the following command to view the contents of the certificate file:
      openssl x509 -text -in /opt/mapr/hue/hue-<version>/cert.pem 

  7. Restart the HttpFS server.

    maprcli node services -name httpfs -action restart -nodes <space delimited list of nodes>
  8. Run one of the following curl commands to check that https is enabled. These commands fetch the file some_file.txt from MapR-FS under /user/mapr and attempts to open it securely over https.

    Verify that HTTPS is enabled without certificate-based authentication
    curl -k "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"

    If you also configured Hue to use SSL encryption with certificate-based authentication for communication with HttpFS, run the following command: 

    Verify that HTTPS is enabled with certificate-based authentication
    curl -k --cert /opt/mapr/hue/hue-<version>/cert.pem --key /opt/mapr/hue/hue-<version>/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt?op=open&user.name=mapr"