HBase mulit-user security
Hi, Looking at this further, it appears that when HBaseRPC is creating a proxy (e.g., SecureRpcEngine), it injects the current user: User.getCurrent() which by default is the cached Kerberos TGT (kinit'ed user - using the hadoop-user-kerberos JAAS context). Since the server proxy always uses User.getCurrent(), how can an application inject the user it wants to use for authorization checks on the peer (region server)? And since SecureHadoopUser is a static class, how can you have more than 1 active user in the same application? What you have works for a single user application like the hbase shell, but what about a multi-user application? Am I missing something? Thanks! -Tony -Original Message- From: Alejandro Abdelnur [mailto:t...@cloudera.com] Sent: Monday, July 02, 2012 11:40 AM To: common-user@hadoop.apache.org Subject: Re: hadoop security API (repost) Tony, If you are doing a server app that interacts with the cluster on behalf of different users (like Ooize, as you mentioned in your email), then you should use the proxyuser capabilities of Hadoop. * Configure user MYSERVERUSER as proxyuser in Hadoop core-site.xml (this requires 2 properties settings, HOSTS and GROUPS). * Run your server app as MYSERVERUSER and have a Kerberos principal MYSERVERUSER/MYSERVERHOST * Initialize your server app loading the MYSERVERUSER/MYSERVERHOST keytab * Use the UGI.doAs() to create JobClient/Filesystem instances using the user you want to do something on behalf * Keep in mind that all the users you need to do something on behalf should be valid Unix users in the cluster * If those users need direct access to the cluster, they'll have to be also defined in in the KDC user database. Hope this helps. Thx On Mon, Jul 2, 2012 at 6:22 AM, Tony Dean tony.d...@sas.com wrote: Yes, but this will not work in a multi-tenant environment. I need to be able to create a Kerberos TGT per execution thread. I was hoping through JAAS that I could inject the name of the current principal and authenticate against it. I'm sure there is a best practice for hadoop/hbase client API authentication, just not sure what it is. Thank you for your comment. The solution may well be associated with the UserGroupInformation class. Hopefully, other ideas will come from this thread. Thanks. -Tony -Original Message- From: Ivan Frain [mailto:ivan.fr...@gmail.com] Sent: Monday, July 02, 2012 8:14 AM To: common-user@hadoop.apache.org Subject: Re: hadoop security API (repost) Hi Tony, I am currently working on this to access HDFS securely and programmaticaly. What I have found so far may help even if I am not 100% sure this is the right way to proceed. If you have already obtained a TGT from the kinit command, hadoop library will locate it automatically if the name of the ticket cache corresponds to default location. On Linux it is located /tmp/krb5cc_uid-number. For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan' meaning you can impersonate ivan from hdfs linux user: -- hdfs@mitkdc:~$ klist Ticket cache: FILE:/tmp/krb5cc_10003 Default principal: i...@hadoop.lan Valid startingExpires Service principal 02/07/2012 13:59 02/07/2012 23:59 krbtgt/hadoop@hadoop.lan renew until 03/07/2012 13:59 --- Then, you just have to set the right security options in your hadoop client in java and the identity will be i...@hadoop.lan for our example. In my tests, I only use HDFS and here a snippet of code to have access to a secure hdfs cluster assuming the previous TGT (ivan's impersonation): val conf: HdfsConfiguration = new HdfsConfiguration() conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, kerberos) conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, true) conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, serverPrincipal) UserGroupInformation.setConfiguration(conf) val fs = FileSystem.get(new URI(hdfsUri), conf) Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if ivan does not appear in the hadoop client code. Anyway, I also see two other options: * Setting the KRB5CCNAME environment variable to point to the right ticketCache file * Specifying the keytab file you want to use from the UserGroupInformation singleton API: UserGroupInformation.loginUserFromKeytab(user, keytabFile) If you want to understand the auth process and the different options to login, I guess you need to have a look to the UserGroupInformation.java source code (release 0.23.1 link: http://bit.ly/NVzBKL). The private class HadoopConfiguration line 347 is of major interest in our case. Another point is that I did not find any easy way to prompt the user
RE: hadoop security API (repost)
Yes, but this will not work in a multi-tenant environment. I need to be able to create a Kerberos TGT per execution thread. I was hoping through JAAS that I could inject the name of the current principal and authenticate against it. I'm sure there is a best practice for hadoop/hbase client API authentication, just not sure what it is. Thank you for your comment. The solution may well be associated with the UserGroupInformation class. Hopefully, other ideas will come from this thread. Thanks. -Tony -Original Message- From: Ivan Frain [mailto:ivan.fr...@gmail.com] Sent: Monday, July 02, 2012 8:14 AM To: common-user@hadoop.apache.org Subject: Re: hadoop security API (repost) Hi Tony, I am currently working on this to access HDFS securely and programmaticaly. What I have found so far may help even if I am not 100% sure this is the right way to proceed. If you have already obtained a TGT from the kinit command, hadoop library will locate it automatically if the name of the ticket cache corresponds to default location. On Linux it is located /tmp/krb5cc_uid-number. For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan' meaning you can impersonate ivan from hdfs linux user: -- hdfs@mitkdc:~$ klist Ticket cache: FILE:/tmp/krb5cc_10003 Default principal: i...@hadoop.lan Valid startingExpires Service principal 02/07/2012 13:59 02/07/2012 23:59 krbtgt/hadoop@hadoop.lan renew until 03/07/2012 13:59 --- Then, you just have to set the right security options in your hadoop client in java and the identity will be i...@hadoop.lan for our example. In my tests, I only use HDFS and here a snippet of code to have access to a secure hdfs cluster assuming the previous TGT (ivan's impersonation): val conf: HdfsConfiguration = new HdfsConfiguration() conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, kerberos) conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, true) conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, serverPrincipal) UserGroupInformation.setConfiguration(conf) val fs = FileSystem.get(new URI(hdfsUri), conf) Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if ivan does not appear in the hadoop client code. Anyway, I also see two other options: * Setting the KRB5CCNAME environment variable to point to the right ticketCache file * Specifying the keytab file you want to use from the UserGroupInformation singleton API: UserGroupInformation.loginUserFromKeytab(user, keytabFile) If you want to understand the auth process and the different options to login, I guess you need to have a look to the UserGroupInformation.java source code (release 0.23.1 link: http://bit.ly/NVzBKL). The private class HadoopConfiguration line 347 is of major interest in our case. Another point is that I did not find any easy way to prompt the user for a password at runtim using the actual hadoop API. It appears to be somehow hardcoded in the UserGroupInformation singleton. I guess it could be nice to have a new function to give to the UserGroupInformation an authenticated 'Subject' which could override all default configurations. If someone have better ideas it could be nice to discuss on it as well. BR, Ivan 2012/7/1 Tony Dean tony.d...@sas.com Hi, The security documentation specifies how to test a secure cluster by using kinit and thus adding the Kerberos principal TGT to the ticket cache in which the hadoop client code uses to acquire service tickets for use in the cluster. What if I created an application that used the hadoop API to communicate with hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to use a particular Kerberos principal name with a keytab that contains its password key? I didn't see a way to integrate with JAAS KrbLoginModule. I was thinking that if I could inject a callbackHandler, I could pass the principal name and the KrbLoginModule already has options to specify keytab. Is this something that is possible? Or is this just not the right way to do things? I read about impersonation where authentication is performed with a system user such as oozie and then it just impersonates other users so that permissions are based on the impersonated user instead of the system user. Please help me understand my options for executing hadoop tasks in a multi-tenant application. Thank you! -- Ivan Frain 11, route de Grenade 31530 Saint-Paul-sur-Save mobile: +33 (0)6 52 52 47 07
RE: hadoop security API (repost)
Alejandro, Thanks for the reply. My intent is to also be able to scan/get/put hbase tables under a specified identity as well. What options do I have to perform the same multi-tenant authorization for these operations? I have posted this to hbase users distribution list as well, but thought you might have insight. Since hbase security authentication is so dependent upon hadoop, it would be nice if your suggestion worked for hbase as well. Getting back to your suggestion... when configuring hadoop.proxyuser.myserveruser.hosts, host1 would be where I'm making the ugi.doAs() privileged call and host2 is the hadoop namenode? Also, an another option, is there not a way for an application to pass hadoop/hbase authentication the name of a Kerberos principal to use? In this case, no proxy, just execute as the designated user. Thanks. -Tony -Original Message- From: Alejandro Abdelnur [mailto:t...@cloudera.com] Sent: Monday, July 02, 2012 11:40 AM To: common-user@hadoop.apache.org Subject: Re: hadoop security API (repost) Tony, If you are doing a server app that interacts with the cluster on behalf of different users (like Ooize, as you mentioned in your email), then you should use the proxyuser capabilities of Hadoop. * Configure user MYSERVERUSER as proxyuser in Hadoop core-site.xml (this requires 2 properties settings, HOSTS and GROUPS). * Run your server app as MYSERVERUSER and have a Kerberos principal MYSERVERUSER/MYSERVERHOST * Initialize your server app loading the MYSERVERUSER/MYSERVERHOST keytab * Use the UGI.doAs() to create JobClient/Filesystem instances using the user you want to do something on behalf * Keep in mind that all the users you need to do something on behalf should be valid Unix users in the cluster * If those users need direct access to the cluster, they'll have to be also defined in in the KDC user database. Hope this helps. Thx On Mon, Jul 2, 2012 at 6:22 AM, Tony Dean tony.d...@sas.com wrote: Yes, but this will not work in a multi-tenant environment. I need to be able to create a Kerberos TGT per execution thread. I was hoping through JAAS that I could inject the name of the current principal and authenticate against it. I'm sure there is a best practice for hadoop/hbase client API authentication, just not sure what it is. Thank you for your comment. The solution may well be associated with the UserGroupInformation class. Hopefully, other ideas will come from this thread. Thanks. -Tony -Original Message- From: Ivan Frain [mailto:ivan.fr...@gmail.com] Sent: Monday, July 02, 2012 8:14 AM To: common-user@hadoop.apache.org Subject: Re: hadoop security API (repost) Hi Tony, I am currently working on this to access HDFS securely and programmaticaly. What I have found so far may help even if I am not 100% sure this is the right way to proceed. If you have already obtained a TGT from the kinit command, hadoop library will locate it automatically if the name of the ticket cache corresponds to default location. On Linux it is located /tmp/krb5cc_uid-number. For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan' meaning you can impersonate ivan from hdfs linux user: -- hdfs@mitkdc:~$ klist Ticket cache: FILE:/tmp/krb5cc_10003 Default principal: i...@hadoop.lan Valid startingExpires Service principal 02/07/2012 13:59 02/07/2012 23:59 krbtgt/hadoop@hadoop.lan renew until 03/07/2012 13:59 --- Then, you just have to set the right security options in your hadoop client in java and the identity will be i...@hadoop.lan for our example. In my tests, I only use HDFS and here a snippet of code to have access to a secure hdfs cluster assuming the previous TGT (ivan's impersonation): val conf: HdfsConfiguration = new HdfsConfiguration() conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, kerberos) conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, true) conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, serverPrincipal) UserGroupInformation.setConfiguration(conf) val fs = FileSystem.get(new URI(hdfsUri), conf) Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if ivan does not appear in the hadoop client code. Anyway, I also see two other options: * Setting the KRB5CCNAME environment variable to point to the right ticketCache file * Specifying the keytab file you want to use from the UserGroupInformation singleton API: UserGroupInformation.loginUserFromKeytab(user, keytabFile) If you want to understand the auth process and the different options to login, I guess you need to have a look to the UserGroupInformation.java source code (release 0.23.1 link: http
hadoop security API
Hi, The security documentation specifies how to test a secure cluster by using kinit and thus adding the Kerberos principal TGT to the ticket cache in which the hadoop client code uses to acquire service tickets for use in the cluster. What if I created an application that used the hadoop API to communicate with hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to use a particular Kerberos principal name with a keytab that contains its password key? I didn't see a way to integrate with JAAS KrbLoginModule. I was thinking that if I could inject a callbackHandler, I could pass the principal name and the KrbLoginModule already has options to specify keytab. Is this something that is possible? Or is this just not the right way to do things? I read about impersonation where authentication is performed with a system user such as oozie and then it just impersonates other users so that permissions are based on the impersonated user instead of the system user. Please help me understand my options for executing hadoop tasks in a multi-tenant application. Thank you! Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704
hadoop security API (repost)
Hi, The security documentation specifies how to test a secure cluster by using kinit and thus adding the Kerberos principal TGT to the ticket cache in which the hadoop client code uses to acquire service tickets for use in the cluster. What if I created an application that used the hadoop API to communicate with hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to use a particular Kerberos principal name with a keytab that contains its password key? I didn't see a way to integrate with JAAS KrbLoginModule. I was thinking that if I could inject a callbackHandler, I could pass the principal name and the KrbLoginModule already has options to specify keytab. Is this something that is possible? Or is this just not the right way to do things? I read about impersonation where authentication is performed with a system user such as oozie and then it just impersonates other users so that permissions are based on the impersonated user instead of the system user. Please help me understand my options for executing hadoop tasks in a multi-tenant application. Thank you!
RE: hadoop kerberos security / unix kdc
I have been looking at this for 2 days now with no avail... does anyone know why I would be getting a checksum error when I have validated my keys. I actually deleted my service principals from kdc DB and added them back with a human readable password instead of random key. I regenerated my keytab with those service principal. From namenode, I am able to kinit to the kdc with and without the keytab. However, when I start the namenode, I still get checksum. I even tried a different kdc (older 1.8 instead of new 1.9.1) and received the same exception. It has to be something simple, but I just can't figure it out. If anyone has any ideas please let me know. The latest traces are as follows: Found key for host/rdcesx10030.race.sas@obsidian.sas.com(23) Found key for host/rdcesx10030.race.sas@obsidian.sas.com(18) Found ticket for host/rdcesx10030.race.sas@obsidian.sas.com to go to krbtgt/obsidian.sas@obsidian.sas.com expiring on Mon Jul 02 00:33:02 EDT 2012 Entered Krb5Context.acceptSecContext with state=STATE_NEW Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for host/rdcesx10030.race.sas@obsidian.sas.com to go to krbtgt/obsidian.sas@obsidian.sas.com expiring on Mon Jul 02 00:33:02 EDT 2012 Service ticket not found in the subject Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 3 1 23 16 17 18. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType Checksum failed ! EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbKdcReq send: kdc=cikdc.unx.sas.com UDP:88, timeout=3, number of retries =3, #bytes=716 KDCCommunication: kdc=cikdc.unx.sas.com UDP:88, timeout=3,Attempt =1, #bytes=716 12/07/01 00:33:05 INFO ipc.Server: IPC Server listener on 8020: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]. Count of bytes read: 0 javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159) at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1007) at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1180) at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537) at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137) ... 7 more Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268) at sun.security.krb5.KrbApReq.init(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.init(InitSecContextToken.java:79) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) ... 10 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388) at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83) ... 16 more Thanks! _ From: Tony Dean Sent: Friday, June 29, 2012 4:50 PM To: 'common-user@hadoop.apache.org' Subject: hadoop kerberos security / unix kdc First, I'd like to thank the community for the time and effort they put into sharing their knowledge... A few weeks back I was able to configure a secure hadoop/hbase cluster (MIT 1.6.1 Kerberos on cluster) using a Windows Domain Controller/AD for the KDC. I'm using hadoop 1.0.3 and hbase 0.92.1-security distributions. Now I am trying setup my own Unix KDC (MIT 1.9.1 Kerberos) against
RE: hadoop kerberos security / unix kdc
Hadoop 1.0.3, JDK1.6.0_21 with JCE export jars for strong encryption. -Original Message- From: Owen O'Malley [mailto:omal...@apache.org] Sent: Friday, June 29, 2012 5:02 PM To: common-user@hadoop.apache.org Subject: Re: hadoop kerberos security / unix kdc On Fri, Jun 29, 2012 at 1:50 PM, Tony Dean tony.d...@sas.com wrote: First, I’d like to thank the community for the time and effort they put into sharing their knowledge… Which version of Hadoop are you running? Which JDK are you using? You probably need HDFS-2617 and JDK 1.6.0_31. -- Owen
RE: hadoop kerberos security / unix kdc
I installed 1.6.0 update 33 ... it didn't help this situation. -Original Message- From: Owen O'Malley [mailto:omal...@apache.org] Sent: Friday, June 29, 2012 5:28 PM To: common-user@hadoop.apache.org Subject: Re: hadoop kerberos security / unix kdc On Fri, Jun 29, 2012 at 2:07 PM, Tony Dean tony.d...@sas.com wrote: Hadoop 1.0.3, JDK1.6.0_21 with JCE export jars for strong encryption. You need to move up to a JDK 1.6.0_27. I'd suggest 1.6.0_31. For details, look at: http://wiki.apache.org/hadoop/HadoopJavaVersions -- Owen
hbase client security (cluster is secure)
Hi all, I have created a hadoop/hbase/zookeeper cluster that is secured and verified. Now a simple test is to connect an hbase client (e.g, shell) to see its behavior. Well, I get the following message on the hbase master: AccessControlException: authentication is required. Looking at the code it appears that the client passed simple authentication byte in the rpc header. Why, I don't know? My client configuration is as follows: hbase-site.xml: property namehbase.security.authentication/name valuekerberos/value /property property namehbase.rpc.engine/name valueorg.apache.hadoop.hbase.ipc.SecureRpcEngine/value /property hbase-env.sh: export HBASE_OPTS=$HBASE_OPTS -Djava.security.auth.login.config=/usr/local/hadoop/hbase/conf/hbase.jaas hbase.jaas: Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true }; I issue kinit for the client I want to use. Then invoke hbase shell. I simply issue list and see the error on the server. Any ideas what I am doing wrong? Thanks so much! _ From: Tony Dean Sent: Tuesday, June 05, 2012 5:41 PM To: common-user@hadoop.apache.org Subject: hadoop file permission 1.0.3 (security) Can someone detail the options that are available to set file permissions at the hadoop and os level? Here's what I have discovered thus far: dfs.permissions = true|false (works as advertised) dfs.supergroup = supergroup (works as advertised) dfs.umaskmode = umask (I believe this should be used in lieu of dfs.umask) - it appears to set the permissions for files created in hadoop fs (minus execute permission). why was dffs.umask deprecated? what's difference between the 2. dfs.datanode.data.dir.perm = perm (not sure this is working at all?) I thought it was supposed to set permission on blks at the os level. Are there any other file permission configuration properties? What I would really like to do is set data blk file permissions at the os level so that the blocks can be locked down from all users except super and supergroup, but allow it to be used accessed by hadoop API as specified by hdfs permissions. Is this possible? Thanks. Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704 OLE Object: Picture (Device Independent Bitmap)
hadoop file permission 1.0.3 (security)
Can someone detail the options that are available to set file permissions at the hadoop and os level? Here's what I have discovered thus far: dfs.permissions = true|false (works as advertised) dfs.supergroup = supergroup (works as advertised) dfs.umaskmode = umask (I believe this should be used in lieu of dfs.umask) - it appears to set the permissions for files created in hadoop fs (minus execute permission). why was dffs.umask deprecated? what's difference between the 2. dfs.datanode.data.dir.perm = perm (not sure this is working at all?) I thought it was supposed to set permission on blks at the os level. Are there any other file permission configuration properties? What I would really like to do is set data blk file permissions at the os level so that the blocks can be locked down from all users except super and supergroup, but allow it to be used accessed by hadoop API as specified by hdfs permissions. Is this possible? Thanks. Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704
RE: datanode security (v 1.0.3)
Thank you. That did the trick. -Original Message- From: Sheeba George [mailto:sheeba.geo...@gmail.com] Sent: Monday, June 04, 2012 1:29 AM To: common-user@hadoop.apache.org Subject: Re: datanode security (v 1.0.3) Hi Tony , Please take a look at https://issues.apache.org/jira/browse/HDFS-3402 The attached patch fixes the same problem. Sheeba On Sun, Jun 3, 2012 at 6:01 PM, Tony Dean tony.d...@sas.com wrote: Why is there no documentation on how to run a datanode in secure mode? Or have I just missed it. I've searched and found bits and pieces, but shouldn't this information be in the security documentation? Well, my current state is this: 1. I understand that the datanode must use ports 1k so it must run the threads doing this work as root. 2. I set an environment variable: HADOOP_SECURE_DN_USER so that the datanode can swith to this user for normal work. 3. This keeps me from getting the Cannot start secure cluster without privileged resources message. 4. But, now I'm getting 03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server 03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments Does anyone know how to get this to work? I'm new to Hadoop/HBase, but the security documentation or lack thereof is a big turnoff thus far. I really appreciate any guidance here. Thanks! *Tony Dean* *SAS Institute Inc.* *Senior Software Developer* *919-531-6704* -- Sheeba Ann George
how to run datanode in secure mode?
Why is there no documentation on how to run a datanode in secure mode? Or have I just missed it. I've searched and found bits and pieces, but shouldn't this information be in the security documentation? Is security built into the documentation as well as the code! Well, my current state is this: 1. I understand that the datanode must use ports 1k so it must run the threads doing this work as root. 2. I set an environment variable: HADOOP_SECURE_DN_USER so that the datanode can swith to this user for normal work. 3. This keeps me from getting the Cannot start secure cluster without privileged resources message. 4. But, now I'm getting 03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server 03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments Does anyone know how to get this to work? I'm new to Hadoop/HBase, but the security documentation or lack thereof is a big turnoff. I really appreciate any guidance here. Thanks! Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704
datanode security (v 1.0.3)
Why is there no documentation on how to run a datanode in secure mode? Or have I just missed it. I've searched and found bits and pieces, but shouldn't this information be in the security documentation? Well, my current state is this: 1. I understand that the datanode must use ports 1k so it must run the threads doing this work as root. 2. I set an environment variable: HADOOP_SECURE_DN_USER so that the datanode can swith to this user for normal work. 3. This keeps me from getting the Cannot start secure cluster without privileged resources message. 4. But, now I'm getting 03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server 03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments Does anyone know how to get this to work? I'm new to Hadoop/HBase, but the security documentation or lack thereof is a big turnoff thus far. I really appreciate any guidance here. Thanks! Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704
RE: datanode security (v 1.0.3)
sending again due to smtp failure. _ From: Tony Dean Sent: Sunday, June 03, 2012 9:02 PM To: 'core-u...@hadoop.apache.org' Subject: datanode security (v 1.0.3) Why is there no documentation on how to run a datanode in secure mode? Or have I just missed it. I've searched and found bits and pieces, but shouldn't this information be in the security documentation? Well, my current state is this: 1. I understand that the datanode must use ports 1k so it must run the threads doing this work as root. 2. I set an environment variable: HADOOP_SECURE_DN_USER so that the datanode can swith to this user for normal work. 3. This keeps me from getting the Cannot start secure cluster without privileged resources message. 4. But, now I'm getting 03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server 03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments Does anyone know how to get this to work? I'm new to Hadoop/HBase, but the security documentation or lack thereof is a big turnoff thus far. I really appreciate any guidance here. Thanks! Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704 OLE Object: Picture (Device Independent Bitmap)