Re: Starting datanode in secure mode

2011-08-31 Thread Thomas Weise 
Thanks Ravi. This has brought my local hadoop cluster to life!

The two things I was missing:

1) Have to use privileged ports



  dfs.datanode.address
  0.0.0.0:1004


  dfs.datanode.http.address
  0.0.0.0:1006


2) implied by 1) sudo required to launch datanode

Clearly, this is geared towards the production system. For development, having 
the ability to run with Kerberos but w/o the need for privileged resources 
would be desirable.


On Aug 30, 2011, at 9:00 PM, Ravi Prakash wrote:

> In short you MUST use priviledged resourced.
> 
> In long:
> 
> Here's what I did to setup a secure single node cluster. I'm sure there's
> other ways, but here's how I did it.
> 
>1.Install krb5-server
>2.Setup the kerberos configuration (files attached).
> /var/kerberos/krb5kdc/kdc.conf and /etc/krb5.conf
> http://yahoo.github.com/hadoop-common/installing.html
>3.To clean up everything :
> http://mailman.mit.edu/pipermail/kerberos/2003-June/003312.html
>4.Create Kerberos database $ sudo kdb5_util create -s
>5.Start Kerberos $ sudo /etc/rc.d/init.d/kadmin start $ sudo
> /etc/rc.d/init.d/krb5kdc start
>6.Create principal raviprak/localhost.localdomain@localdomain
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Adding-or-Modifying-Principals.html
>7.Create keytab fiie using “xst -k /home/raviprak/raviprak.keytab
> raviprak/localhost.localdomain@localdomain”
>8.Setup hdfs-site.xml and core-site.xml (files attached)
>9.sudo hostname localhost.localdomain
>10.hadoop-daemon.sh start namenode
>11.sudo bash. Then export HADOOP_SECURE_DN_USER=raviprak . Then
> hadoop-daemon.sh start datanode
> 
> 
> 
> CORE-SITE.XML
> 
> 
> 
> 
> 
> 
> 
>
>fs.default.name
>hdfs://localhost:9001
>
>
>hadoop.security.authorization
>true
>
>
>hadoop.security.authentication
>kerberos
>
>  
>dfs.namenode.kerberos.principal
>raviprak/localhost.localdomain
>  
>  
>dfs.datanode.kerberos.principal
>raviprak/localhost.localdomain
>  
>  
>dfs.secondary.namenode.kerberos.principal
>raviprak/localhost.localdomain
>  
> 
> 
> =
> 
> 
> 
> HDFS-SITE.XML
> =
> 
> 
> 
> 
> 
> 
>
>dfs.replication
>1
>
> 
>
>dfs.name.dir.restore
>false
>
> 
>
>dfs.namenode.checkpoint.period
>10
>
> 
>
>dfs.namenode.keytab.file
>/home/raviprak/raviprak.keytab
>
> 
>
>dfs.secondary.namenode.keytab.file
>/home/raviprak/raviprak.keytab
>
> 
>
>dfs.datanode.keytab.file
>/home/raviprak/raviprak.keytab
>
> 
>
>dfs.datanode.address
>0.0.0.0:1004
>
> 
>
>dfs.datanode.http.address
>0.0.0.0:1006
>
> 
>
>dfs.namenode.kerberos.principal
>raviprak/localhost.localdomain@localdomain
>
> 
>
>dfs.secondary.namenode.kerberos.principal
>raviprak/localhost.localdomain@localdomain
>
> 
>
>dfs.datanode.kerberos.principal
>raviprak/localhost.localdomain@localdomain
>
> 
>
>dfs.namenode.kerberos.https.principal
>raviprak/localhost.localdomain@localdomain
>
> 
>
>dfs.secondary.namenode.kerberos.https.principal
>raviprak/localhost.localdomain@localdomain
>
> 
>
>dfs.datanode.kerberos.https.principal
>raviprak/localhost.localdomain@localdomain
>
> 
> 
> =
> 
> 
> On Tue, Aug 30, 2011 at 8:08 PM, Thomas Weise  wrote:
> 
>> I'm configuring a local hadoop cluster in secure mode for
>> development/experimental purposes on Ubuntu 11.04 with the hadoop-0.20.203.0
>> distribution from apache mirror.
>> 
>> I have the basic Kerberos setup working, can start namenode in secure mode
>> and connect to it with hadoop fs -ls
>> 
>> I'm not able to get the datanode start in secure mode - what do I have to
>> do to make that happen?
>> 
>> The error I get:
>> 
>> 11/08/30 18:01:57 INFO security.UserGroupInformation: Login successful for
>> user hduser/hdev-vm@HADOOP.LOCALDOMAIN using ke

Starting datanode in secure mode

2011-08-30 Thread Thomas Weise 
I'm configuring a local hadoop cluster in secure mode for 
development/experimental purposes on Ubuntu 11.04 with the hadoop-0.20.203.0 
distribution from apache mirror.

I have the basic Kerberos setup working, can start namenode in secure mode and 
connect to it with hadoop fs -ls 

I'm not able to get the datanode start in secure mode - what do I have to do to 
make that happen? 

The error I get:

11/08/30 18:01:57 INFO security.UserGroupInformation: Login successful for user 
hduser/hdev-vm@HADOOP.LOCALDOMAIN using keytab file /opt/hadoop/conf/nn.keytab
11/08/30 18:01:57 ERROR datanode.DataNode: java.lang.RuntimeException: Cannot 
start secure cluster without privileged resources.
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:293)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.(DataNode.java:268)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:1480)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:1419)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:1437)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:1563)
at 
org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:1573)

11/08/30 18:01:57 INFO datanode.DataNode: SHUTDOWN_MSG: 
/
SHUTDOWN_MSG: Shutting down DataNode at hdev-vm/127.0.1.1

I have not configured the system to use port numbers that require root (yet). 
All I want is the datanode to run in secure mode with kerberos authentication.

Any pointers would be greatly appreciated!

Thomas