MapR 5.0 Documentation : Securing Open Source Components

Security for Open Source Components

Open source components on a MapR cluster have several options for security. See the Ecosystem Guide for component-specific instructions. 

General Security Configuration with JAAS

Open source components in the MapR distribution for Hadoop use the Java Authentication and Authorization Service (JAAS) for security configuration.  The /opt/mapr/conf/mapr.login.conf file defines JAAS configurations. The MAPR_ECOSYSTEM_LOGIN_OPTS environment variable in the /opt/mapr/conf/env.sh file specifies the JAAS configuration used by installed open source components. When security is enabled, the value of the MAPR_ECOSYSTEM_LOGIN_OPTS environment variable is modified to include the hybrid JVM option for hadoop.login. This is equivalent to setting the -Dhadoop.login=hybrid flag at the command line.This setting specifies a mixed security environment using Kerberos and internal MapR security technologies.

The mapr.login.conf file has two stanzas for hybrid security:

 /**
 * authenticate using hybrid of kerberos and MapR
 * maprticket must already exist on file system as MapR login module
 * cannot get kerberos identity from subject for implicit login.
 */

hadoop_hybrid {
  org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
      useTicketCache=true
      renewTGT=true
      doNotPrompt=true;
  com.mapr.security.maprsasl.MaprSecurityLoginModule required
      checkUGI=false;
  org.apache.hadoop.security.login.GenericOSLoginModule required;
  org.apache.hadoop.security.login.HadoopLoginModule required
      principalPriority=com.mapr.security.MapRPrincipal;
};
 
hadoop_hybrid_keytab {
  org.apache.hadoop.security.login.KerberosBugWorkAroundLoginModule optional
      refreshKrb5Config=true
      doNotPrompt=true
      useKeyTab=true
      storeKey=true;
  com.mapr.security.maprsasl.MaprSecurityLoginModule required
      checkUGI=false
      useServerKey=true;
  org.apache.hadoop.security.login.GenericOSLoginModule required;
  org.apache.hadoop.security.login.HadoopLoginModule required
      principalPriority=com.mapr.security.MapRPrincipal;
};