ApacheAmbari2.6.1.5安全性指南

Hadoop

Ambari

需积分: 10 78 浏览量更新于2023-03-16 评论收藏 15.32MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

资源详情

资源评论

资源推荐

Hortonworks Data Platform

(December 15, 2017)

Security

docs.hortonworks.com

Hortonworks Data Platform December 15, 2017

iii

Table of Contents

1. HDP Security Overview ................................................................................................ 1

1.1. What's New in This Release ............................................................................... 1

1.2. Understanding Data Lake Security .................................................................... 5

1.3. HDP Security Features ....................................................................................... 6

1.3.1. Administration ....................................................................................... 7

1.3.2. Authentication and Perimeter Security ................................................... 8

1.3.3. Authorization ......................................................................................... 9

1.3.4. Audit .................................................................................................... 11

1.3.5. Data Protection .................................................................................... 11

2. Authentication ........................................................................................................... 12

2.1. Enabling Kerberos Authentication Using Ambari ............................................. 12

2.1.1. Kerberos Overview ............................................................................... 12

2.1.2. Kerberos Principals ............................................................................... 13

2.1.3. Installing and Configuring the KDC ....................................................... 14

2.1.4. Enabling Kerberos Security ................................................................... 19

2.1.5. Kerberos Client Packages ...................................................................... 24

2.1.6. Disabling Kerberos Security .................................................................. 24

2.1.7. Customizing the Attribute Template ..................................................... 25

2.1.8. Managing Admin Credentials ............................................................... 25

2.2. Configuring HDP Components for Kerberos Using Ambari ............................... 26

2.2.1. Configuring Kafka for Kerberos Using Ambari ...................................... 26

2.2.2. Configuring Storm for Kerberos Using Ambari ...................................... 41

2.3. Configuring Ambari Authentication with LDAP or AD ...................................... 46

2.3.1. Configuring Ambari for LDAP or Active Directory Authentication .......... 46

2.3.2. Configuring Ranger Authentication with UNIX, LDAP, or AD ................. 52

2.3.3. Encrypting Database and LDAP Passwords in Ambari ............................ 60

2.4. Configuring LDAP Authentication in Hue ......................................................... 62

2.4.1. Enabling the LDAP Backend ................................................................. 62

2.4.2. Enabling User Authentication with Search Bind ..................................... 62

2.4.3. Setting the Search Base to Find Users and Groups ................................. 63

2.4.4. Specifying the URL of the LDAP Server ................................................. 64

2.4.5. Specifying LDAPS and StartTLS Support ................................................ 64

2.4.6. Specifying Bind Credentials for LDAP Searches ...................................... 64

2.4.7. Synchronizing Users and Groups ........................................................... 64

2.4.8. Setting Search Bind Authentication and Importing Users and

Groups ........................................................................................................... 65

2.4.9. Setting LDAP Users' Filter ..................................................................... 65

2.4.10. Setting an LDAP Groups Filter ............................................................ 66

2.4.11. Setting Multiple LDAP Servers ............................................................. 66

2.5. Advanced Security Options for Ambari ............................................................ 67

2.5.1. Configuring Ambari for Non-Root ......................................................... 67

2.5.2. Optional: Ambari Web Inactivity Timeout ............................................. 71

2.5.3. Optional: Set Up Kerberos for Ambari Server ........................................ 72

2.5.4. Optional: Set Up Two-Way SSL Between Ambari Server and Ambari

Agents ........................................................................................................... 73

2.5.5. Optional: Configure Ciphers and Protocols for Ambari Server ................ 73

2.5.6. Optional: HTTP Cookie Persistence ........................................................ 73

2.6. Enabling SPNEGO Authentication for Hadoop ................................................. 74

Hortonworks Data Platform December 15, 2017

2.6.1. Configure Ambari Server for Authenticated HTTP ................................. 74

2.6.2. Configuring HTTP Authentication for HDFS, YARN, MapReduce2,

HBase, Oozie, Falcon and Storm .................................................................... 74

2.6.3. Enabling Browser Access to a SPNEGO-enabled Web UI ........................ 75

2.7. Setting Up Kerberos Authentication for Non-Ambari Clusters ........................... 76

2.7.1. Preparing Kerberos ............................................................................... 76

2.7.2. Configuring HDP for Kerberos .............................................................. 82

2.7.3. Setting up One-Way Trust with Active Directory .................................. 110

2.7.4. Configuring Proxy Users ...................................................................... 112

2.8. Perimeter Security with Apache Knox ............................................................ 112

2.8.1. Apache Knox Gateway Overview ........................................................ 112

2.8.2. Configuring the Knox Gateway ........................................................... 115

2.8.3. Defining Cluster Topologies ................................................................ 120

2.8.4. Configuring a Hadoop Server for Knox ............................................... 121

2.8.5. Mapping the Internal Nodes to External URLs ..................................... 126

2.8.6. Configuring Authentication ................................................................ 130

2.8.7. Configuring Identity Assertion ............................................................ 149

2.8.8. Configuring Service Level Authorization .............................................. 158

2.8.9. Audit Gateway Activity ....................................................................... 162

2.8.10. Gateway Security .............................................................................. 164

2.8.11. Setting Up Knox Services for HA ....................................................... 168

2.8.12. Knox CLI Testing Tools ...................................................................... 171

2.9. Knox SSO ...................................................................................................... 172

2.9.1. Identity Providers (IdP) ....................................................................... 173

2.9.2. Setting up Knox SSO for Ambari ......................................................... 177

2.9.3. Setting up Knox SSO for Ranger Web UI ............................................. 178

2.9.4. Setting up the Knox Token Service for Ranger APIs ............................. 180

2.9.5. Setting up Knox SSO for Apache Atlas ................................................ 182

3. Configuring Authorization in Hadoop ...................................................................... 184

3.1. Installing Ranger Using Ambari ..................................................................... 184

3.1.1. Overview ............................................................................................ 184

3.1.2. Installation Prerequisites ..................................................................... 184

3.1.3. Ranger Installation ............................................................................. 193

3.1.4. Enabling Ranger Plugins ..................................................................... 234

3.1.5. Ranger Plugins - Kerberos Overview .................................................... 269

3.2. Using Ranger to Provide Authorization in Hadoop ......................................... 273

3.2.1. About Ranger Policies ......................................................................... 274

3.2.2. Using the Ranger Console ................................................................... 279

3.2.3. Configuring Resource-Based Services ................................................... 284

3.2.4. Resource-Based Policy Management ................................................... 301

3.2.5. Row-level Filtering and Column Masking in Hive .................................. 334

3.2.6. Adding Tag-based Service ................................................................... 348

3.2.7. Tag-Based Policy Management ........................................................... 350

3.2.8. Users/Groups and Permissions Administration ..................................... 369

3.2.9. Reports Administration ....................................................................... 381

3.2.10. Special Requirements for High Availability Environments ................... 385

3.2.11. Adding a New Component to Apache Ranger ................................... 386

3.2.12. Developing a Custom Authorization Module ..................................... 389

3.2.13. Apache Ranger Public REST API ........................................................ 389

4. Data Protection: Wire Encryption ............................................................................. 424

4.1. Enabling RPC Encryption ............................................................................... 424

Hortonworks Data Platform December 15, 2017

4.2. Enabling Data Transfer Protocol .................................................................... 425

4.3. Enabling SSL: Understanding the Hadoop SSL Keystore Factory ...................... 425

4.4. Creating and Managing SSL Certificates ......................................................... 427

4.4.1. Obtain a Certificate from a Trusted Third-Party Certification Authority

(CA) ............................................................................................................. 427

4.4.2. Create and Set Up an Internal CA (OpenSSL) ...................................... 429

4.4.3. Installing Certificates in the Hadoop SSL Keystore Factory (HDFS,

MapReduce, and YARN) .............................................................................. 432

4.4.4. Using a CA-Signed Certificate .............................................................. 433

4.5. Enabling SSL for HDP Components ................................................................ 434

4.6. Enable SSL for WebHDFS, MapReduce Shuffle, Tez, and YARN ....................... 435

4.7. Enable SSL for HttpFS .................................................................................... 438

4.8. Enable SSL on Oozie ...................................................................................... 439

4.8.1. Configure the Oozie Client to Connect Using SSL ................................ 439

4.8.2. Connect to the Oozie Web UI Using SSL ............................................. 440

4.8.3. Configure Oozie HCatalogJob Properties ............................................ 440

4.9. Enable SSL on the HBase REST Server ............................................................ 440

4.10. Enable SSL on the HBase Web UI ................................................................ 442

4.11. Enable SSL on HiveServer2 ........................................................................... 443

4.11.1. Setting up SSL with self-signed certificates ........................................ 444

4.11.2. Selectively disabling SSL protocol versions ......................................... 445

4.12. Enable SSL for Kafka Clients ........................................................................ 445

4.12.1. Configuring the Kafka Broker ........................................................... 445

4.12.2. Configuring Kafka Producer and Kafka Consumer ............................. 447

4.13. Enable SSL for Accumulo ............................................................................. 448

4.13.1. Generate a Certificate Authority ....................................................... 448

4.13.2. Generate a Certificate/Keystore Per Host .......................................... 449

4.13.3. Configure Accumulo Servers ............................................................. 450

4.13.4. Configure Accumulo Clients .............................................................. 451

4.14. Enable SSL for Apache Atlas ........................................................................ 451

4.14.1. Configuring Apache Atlas SSL ........................................................... 451

4.14.2. Credential Provider Utility Script ....................................................... 453

4.15. SPNEGO setup for WebHCat ........................................................................ 454

4.16. Configure SSL for Hue ................................................................................. 454

4.16.1. Enabling SSL on Hue by Using a Private Key ...................................... 455

4.16.2. Enabling SSL on Hue Without Using a Private Key ............................. 455

4.17. Configure SSL for Knox ............................................................................... 455

4.17.1. Self-Signed Certificate with Specific Hostname for Evaluations ........... 455

4.17.2. CA-Signed Certificates for Production ................................................ 456

4.17.3. Setting Up Trust for the Knox Gateway Clients .................................. 456

4.18. Securing Phoenix ......................................................................................... 457

4.19. Set Up SSL for Ambari ................................................................................. 457

4.19.1. Set Up Truststore for Ambari Server .................................................. 458

4.20. Configure Ambari Ranger SSL ...................................................................... 459

4.20.1. Configuring Ambari Ranger SSL Using Public CA Certificates .............. 459

4.20.2. Configuring Ambari Ranger SSL Using a Self-Signed Certificate .......... 474

4.20.3. Configure Ranger Admin Database for SSL-Enabled MySQL ............... 489

4.21. Configure Non-Ambari Ranger SSL .............................................................. 490

4.21.1. Configuring Non-Ambari Ranger SSL Using Public CA Certificates ....... 490

4.21.2. Configuring Non-Ambari Ranger SSL Using a Self Signed

Certificate .................................................................................................... 493

剩余638页未读，继续阅读

devalone

粉丝: 106
资源: 38

会员权益专享

Apache Ambari 2.6.1.5 安全性指南

评论0

会员权益专享

最新资源

Apache Ambari 2.6.1.5 安全性指南

评论0

Ambari汉化及单点登录配置.doc

Ambari 操作指南 .docx

Apache Ambari 2.6.1.5 操作指南

使用Apache Ambari快速部署Hadoop集群

ambari-2.6.0.0-centos7.tar.gz官网下载

ambari-2.7.5.0-centos7.tar.gz 下载

Apache Ambari在centos7下的部署手顺

查看ambari版本

Apache Ambari 官方文档查看

cp ambari.repo /etc/yum.repos.d/

Apache Ambari

我没有安装ambari，如何从官网查看ambari内部组件版本

msg=org.apache.hadoop.hbase.ipc.ServerNotRunningYetException: Server ambari-01,17020,1694355365450 is not running yet

ambari-server.py

FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.MoveTask. Unable to move source hdfs

return code 2 from org.apache.hadoop.hive.ql.exec.tez.testask. vertex failed,vertexname=map 1

环境AMbari2.7.4 HDP3.1.4 启动Hbase Master java.lang.UnsupportedOperationException: Constructor threw an exception for org.apache.hadoop.hbase.ipc.NettyRpcServer

k8s中安装ambari

ambari源码编译安装

会员权益专享

最新资源