2.1. Configuration Overview

Configuring Hadoop for Kerberos has three parts:

  • Creating a mapping between service principals and UNIX usernames.

    Hadoop uses users' group memberships at various places for things like determining group ownership for files or for access control.

    A user is mapped to the groups it belongs to using an implementation of the GroupMappingServiceProvider interface. The implementation is pluggable and is configured in core-site.xml.

    By default Hadoop uses ShellBasedUnixGroupsMapping, which is an implementation of GroupMappingServiceProvider. It fetches the group membership for a username by executing a UNIX shell command. In secure clusters, since the usernames are actually Kerberos principals, ShellBasedUnixGroupsMapping will work only if the Kerberos principals map to valid UNIX usernames. Hadoop provides a feature that lets administrators specify mapping rules to map a Kerberos principal to a local UNIX username .

  • Adding information to various service configuration files.

    There are several optional entries in the main service configuration files that must be added to enable security on Hadoop.

  • Adding Java Cryptography Extension (JCE) security policy .jars to every host.

loading table of contents...