Support Questions

Find answers, ask questions, and share your expertise

Secure Webhdfs in Hadoop Hortonworks Cluster

avatar
Contributor

Dear community

 

I have installed a hadoop cluster on 8 servers using Ambari Hortonworks.

I am able to access webhdfs using the ip address and the default port 50070 without authentication.

 

How can I secure Webhdfs?

 

P.S I did not enable using kerberos in Ambari > Enable kerberos , should I do it?

 

Any suggestion will be appreciated

Thanks

Asma

1 ACCEPTED SOLUTION

avatar
Master Mentor

@asmarz 

Good to know that your original issue is resolved.  However for any subsequent slightly different issue it is always better to open a new Community Thread that way the readers of this thread can easily find out One Error/Issue with one Solution.    Multiple issues in a single thread can cause readers to get confused.

.

If your question is answered then, Please make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

 

View solution in original post

10 REPLIES 10

avatar
New Contributor
  1. Set the value of the dfs.webhdfs.enabled property in hdfs-site.xml to true.
    <property>
      <name>dfs.webhdfs.enabled</name>
      <value>true</value> 
    </property>
  2. Create an HTTP service user principal.
    kadmin: addprinc -randkey HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM
    where:
    • Fully_Qualified_Domain_Name: Host where the NameNode is deployed.
    • Realm_Name: Name of your Kerberos realm.
  3. Create a keytab file for the HTTP principal.
    kadmin: xst -norandkey -k /etc/security/spnego.service.keytab HTTP/$<Fully_Qualified_Domain_Name>
  4. Verify that the keytab file and the principal are associated with the correct service.
    klist –k -t /etc/security/spnego.service.keytab
  5. Add the dfs.web.authentication.kerberos.principal and dfs.web.authentication.kerberos.keytab properties to hdfs-site.xml.
    <property>
      <name>dfs.web.authentication.kerberos.principal</name>
      <value>HTTP/$<Fully_Qualified_Domain_Name>@$<Realm_Name>.COM</value>
    </property>
    <property>
      <name>dfs.web.authentication.kerberos.keytab</name>
      <value>/etc/security/spnego.service.keytab</value>
    </property>
  6. Restart the NameNode and the DataNodes.