- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Created on 02-15-2018 08:10 PM
Motivation:
When Hadoop components (HDFS et. al.) are configured to connect to external sources like LDAP, the LDAP bind passwords need to be given in configuration file (core-site.xml) in clear text. For many enterprise environments, having password in clear text is not allowed and is often flagged as risk in Security Audits.
This article teaches Hadoop administrators on how to secure these plaintext password in Hadoop configuration.
Configuration Steps:
1. Before starting, make sure that LDAP bind is working with plain text password. So, the HDFS should be configured with these settings in core-site.xml (the following values should be changed to match your LDAP/AD environment. These are working example values from my AD setup)
hadoop.security.group.mapping=org.apache.hadoop.security.LdapGroupsMapping hadoop.security.group.mapping.ldap.base=ou=CorpUsers,dc=lab,dc=hortonworks,dc=net hadoop.security.group.mapping.ldap.bind.user=cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net hadoop.security.group.mapping.ldap.bind.password=s0mePassw0rd hadoop.security.group.mapping.ldap.search.attr.group.name=cn hadoop.security.group.mapping.ldap.search.attr.member=member hadoop.security.group.mapping.ldap.search.filter.group=(objectclass=group) hadoop.security.group.mapping.ldap.search.filter.user=(objectcategory=person) hadoop.security.group.mapping.ldap.url=ldap://myad.lab.hortonworks.net:389
Notice that the LDAP bind password is in clear text.
2. Also at this point, HDFS should be able to resolve LDAP group(s) for an LDAP user. To check, use this command - hdfs groups <username>. For example,
# hdfs groups hr1 hr1 : hadoop-users hadoop-admins HDP Ranger Admins
With this basic setup, we are ready to secure our plaintext password.
3. Hadoop offers Credential Provider APIs which can be used to secure various passwords (not just LDAP bind password) in secure JCEKS (Java Cryptography Extension KeyStore) files. We will use the same in this article.
4. First of all, create a JCEKS file using hadoop credential command to store property name & bind password:
# hadoop credential create hadoop.security.group.mapping.ldap.bind.password -value s0mePassw0rd -provider jceks://file/etc/security/bind.jceks hadoop.security.group.mapping.ldap.bind.password has been successfully created. org.apache.hadoop.security.alias.JavaKeyStoreProvider has been updated.
This command creates a /etc/security/bind.jceks file with encrypted password & default permission of 700.
5. Update file permission of /etc/security/bind.jceks to 755 for root user.
# chmod 755 /etc/security/bind.jceks # ls -l /etc/security/bind.jceks -rwxr-xr-x. 1 root root 533 Feb 15 20:00 /etc/security/bind.jceks
6. Let's use this credential provider in Hadoop configuration (core-site.xml):
hadoop.security.credential.provider.path=localjceks://file/etc/security/bind.jceks
and remove hadoop.security.group.mapping.ldap.bind.password property as well.
7. Restart HDFS NameNode service to load new property.
8. Verify that the LDAP groups are still able to resolve for an LDAP user.
Created on 06-10-2021 01:07 PM - edited 06-10-2021 01:09 PM
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Do you know what encryption algorithm the Hadoop Credential Store uses? I need to encrypt the LDAP password with AES-256 algorithm.