Hi to all!
I'm configuring a little HDP cluster composed by an edge node in a front end DMZ a master node and two slave nodes in a back end secure network; all the configuration is managed via an Ambari Server installed on the edge node in the front end DMZ.
Security policies block all http connection even among trusted server so I have to secure on ssl and https all comunications among server and services.
I'm following documentation and some community resources, but I have some doubts.
1) Here docs say
Secondary NameNode is not supported with the HTTPS port. It can only be accessed via http://<SNN>:50090
and for me that is a problem because I can't ask to open the port between front end node (Ambari Server) and back end node (Secondary NameNode) on http protocol so my Ambari server can't start the service. I don't need to have a secondary name node because I have a NameNode server full back up available and I would to disable the secondary name node. My question; it is possibile from Ambari Server (or editing config file on file system) to disable the secondary name node server?
2) I'm starting to configure SSL and https comunications for the services I need to start on my cluster.
Here docs says
From the service user account associated with the component (such as hive, hbase, oozie, or hdfs, shown below as<service_user>), generate the host key su -l <service_user> -C "keytool -keystore <client-keystore> -genkey -alias <host>" ...
what I understood is that I need to obtain a certificate for every service on every master node and to install and configure it in the Hadoop SSL Keystore Factory. Here are my questions...
- Do I need to install and configure certificates just on service server? e.g for hdfs service do I need to configure certificates just on the node where NameNode service runs on?
- Can I use a host certificate (independent from the service) if more than a service run on the same host? e.g. NameNode and ResourceManager run on the same host
I'm sorry for post length, but it's my first time configuring a cluster in secure environment.
Thanks in advance for the help!
I replied to my first question.
I disabled Secondary NameNode deleting the component via API
curl -u admin:admin -H "X-Requested-By: ambari" -X DELETE https://<ambari_server_host>:8443/api/v1/clusters/<cluster_name>/hosts/<secondary_nn_host>/host_comp...
before calling the API it is mandatory to stop ambari agent on the host