Overview

When you install Hadoop, security is not applied by default. To apply security to Hadoop, you need to use an authentication system called [Kerberos](https://web.mit.edu/kerberos/), and setting it up can be quite challenging, so I decided to document the process.

This guide was written based on the [Secured Hadoop official documentation](https://hadoop.apache.org/docs/r2.10.2/hadoop-project-dist/hadoop-common/SecureMode.html).

Building a Hadoop Cluster

Before applying Kerberos security, it is assumed that a Hadoop cluster is already set up. It is also assumed that there are 2 NameNodes and 3 JournalNodes for High Availability (H/A). ZooKeeper is required for this setup.

Creating Linux Users

A `hadoop` group and an `hdfs` account must exist on Linux. This is because, to apply Kerberos, you need to start the NameNode and DataNode under that account.

Creating Directories on Linux

The NameNode data storage location `/dfs/nn`, the JournalNode storage location `/dfs/jn`, and the DataNode storage location `/dfs/dn` must be created in advance, and appropriate permissions must be granted.

Creating Kerberos Principals

Create `hdfs/{fqdn}@{realm}` and `HTTP/{fqdn}@{realm}` principals on the Kerberos Server, and download the keytab that allows login with those principals. To log in using this keytab, the `/etc/krb5.conf` file must be properly configured.

Installing jsvc

In a secured environment, running the DataNode is the most challenging part because it must be executed using jsvc.

yum install jsvcwhich jsvc

which jsvc

Modifying Configuration

The configurations below must be identical across all servers.

<!-- JournalNode -->

<!-- NameNode -->

<!-- DataNode -->

<!-- Web -->

Uncomment the `JSVC_HOME` and `HADOOP_SECURE_DN_USER` sections that are commented out in the file below.

Set the value from `which jsvc` to JSVC_HOME, and set `hdfs` for HADOOP_SECURE_DN_USER.

The jsvc implementation to use. Jsvc is required to run secure datanodes

that bind to privileged ports to provide authentication of data transfer

protocol. Jsvc is not required if SASL is configured for authentication of

data transfer protocol using non-privileged ports.

export JSVC_HOME=/usr/bin

On secure datanodes, user to run the datanode as after dropping privileges.

This **MUST** be uncommented to enable secure HDFS if using privileged ports

to provide authentication of data transfer protocol. This **MUST NOT** be

defined if SASL is configured for authentication of data transfer protocol

using non-privileged ports.

export HADOOP_SECURE_DN_USER=hdfs

Starting JournalNode, NameNode, and DataNode

If this is the initial cluster setup, the following steps are required.

1. Start ZooKeepers: `zookeeper/bin/zkServer.sh start` (on all 3 nodes).

2. Format ZKFC: `hdfs zkfc -formatZK` (run only once).

3. Start JournalNodes: `hdfs journalnode` (on all 3 nodes).

4. Format active NameNode: `hdfs namenode -format` (run only once on the active NameNode)

5. Start active NameNode: `hdfs namenode` (run on the active NameNode)

6. Format standby NameNode: `hdfs namenode -bootstrapStandby` (run only once on the standby NameNode)

7. Start standby NameNode: `hdfs namenode` (run on the standby NameNode)

8. Start ZKFC: `hdfs zkfc` (run on the nodes where the active and standby NameNodes reside)

9. Start DataNodes: `hdfs datanode` (run on the data nodes)

Important note: JournalNode, NameNode, and ZKFC should be started with the hdfs account, while DataNode and ZooKeeper should be started with the root account.

If the installation is successful,

you can access the NameNode Web UI at http://namenode_ip_address:9870.

The security section should be displayed as `on` as shown below.

Quiz

Q1: What is the main topic covered in "Building a Secured (Kerberized) Hadoop Cluster"?

Learn how to apply Kerberos security to Hadoop.

Learn how to apply Kerberos security to Hadoop.

Consider the practical examples and patterns discussed throughout the post.