When Kerberos is activated for your HDFS filesystem, the PXF Service, as an HDFS client, requires a principal and keytab file to authenticate access to HDFS. To read or write files on a secure HDFS, you must create and deploy Kerberos principals and keytabs for PXF, and ensure that Kerberos authentication is activated and functioning.
PXF accesses a secured Hadoop cluster on behalf of Greenplum Database end users. Impersonation is a way to present a Greenplum end user identity to a remote system. You can achieve this on a secured Hadoop cluster with PXF by configuring a Hadoop proxy user or using Kerberos constrained delegation.
The identity with which PXF accesses a Kerberos-secured Hadoop depends on the settings of the following properties:
Property | Description | Default Value |
---|---|---|
pxf.service.kerberos.principal | The PXF Kerberos principal name. | gpadmin/[email protected] |
pxf.service.user.impersonation | Activates/deactivates Greenplum Database user impersonation on the remote system. | true |
pxf.service.kerberos.constrained-delegation | Activates/deactivates usage of Kerberos constrained delegation based on S4U Kerberos extensions. This option allows Hadoop administrators to avoid creating a proxy user configuration in Hadoop, instead requiring them to perform delegation configuration in an Active Directory (AD) or Identity Policy Audit (IPA) server. | false |
pxf.service.user.name | (Optional) The user name with which PXF connects to a remote Kerberos-secured cluster if user impersonation is deactivated and using the pxf.service.kerberos.principal is not desired. |
None |
You configure these setting for a Hadoop PXF server via the pxf-site.xml
configuration file. Refer to About the pxf-site.xml Configuration File for more information about the configuration properties in this file.
Note: PXF supports simultaneous access to multiple Kerberos-secured Hadoop clusters.
Kerberos constrained delegation is a feature that allows an administrator to specify trust boundaries that restrict the scope of where an application can act on behalf of a user. You may choose to configure PXF to use Kerberos constrained delegation when you want to manage user impersonation privileges in a directory service without the need to specify a proxy Hadoop user. Refer to the Microsoft Service for User (S4U) Kerberos protocol extension documentation for more information about Kerberos constrained delegation.
When your AD or IPA server is configured appropriately and you activate Kerberos constrained delegation for PXF, the PXF service requests and obtains a Kerberos ticket on behalf of the user, and uses the ticket to access the HDFS file system. PXF caches the ticket for one day.
PXF supports Kerberos Constrained Delegation only when you use the hdfs:*
or hive:*
profiles to access data residing in a Kerberos-secured Hadoop cluster.
By default, Kerberos constrained delegation is deactivated for PXF. To activate Kerberos constrained delegation for a specific PXF server, you must set pxf.service.kerberos-constrained.delegation
to true
in the server’s pxf-site.xml
configuration file.
Before you configure PXF for access to a secure HDFS filesystem, ensure that you have:
Identified whether or not you plan to have PXF use Kerberos constrained delegation to access Hadoop.
Configured a PXF server for the Hadoop cluster, and can identify the server configuration name.
Configured and started PXF as described in Configuring PXF.
Verified that Kerberos is activated for your Hadoop cluster.
Verified that the HDFS configuration parameter dfs.block.access.token.enable
is set to true
. You can find this setting in the hdfs-site.xml
configuration file on a host in your Hadoop cluster.
Noted the host name or IP address of each Greenplum Database host (<gphost>) and the Kerberos Key Distribution Center (KDC) <kdc-server> host.
Noted the name of the Kerberos <realm> in which your cluster resides.
Installed the Kerberos client packages on each Greenplum Database host if they are not already installed. You must have superuser permissions to install operating system packages. For example:
root@gphost$ rpm -qa | grep krb
root@gphost$ yum install krb5-libs krb5-workstation
Ensure that you meet these additional prerequisites when PXF uses Kerberos constrained delegation:
S4U is activated in the AD or IPA server.
The AD or IPA server is configured to allow the PXF Kerberos principal to impersonate end users.
The following scenarios describe the use cases and configuration required when you use PXF to access a Kerberos-secured Hadoop cluster.
Note: These scenarios assume that gpadmin
is the PXF process owner.
In this configuration, PXF accesses Hadoop as the Greenplum user proxied by the Kerberos principal. The Kerberos principal is the Hadoop proxy user and accesses Hadoop as the Greenplum user.
This is the default configuration for a Hadoop PXF server.
The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:
Impersonation | Service User | PXF Configuration | Hadoop Configuration |
---|---|---|---|
true | Greenplum user | Perform the Configuration Procedure in this topic. | Set the Kerberos principal as the Hadoop proxy user as described in Configure Hadoop Proxying. |
In this configuration, PXF uses Kerberos constrained delegation to request and obtain a ticket on behalf of the Greenplum user, and uses the ticket to access Hadoop.
The following table identifies the impersonation and service user settings, and the PXF and directory service configuration required for this use case; no Hadoop configuration is required:
Impersonation | Service User | PXF Configuration | AD/IPA Config |
---|---|---|---|
true | Greenplum user | Set up the PXF Kerberos principal, keytab files, and related settings in pxf-site.xml as described in the Configuration Procedure in this topic, and Activate Kerberos Constrained Delegation. |
Configure AD or IPA to provide the PXF Kerberos principal with the delegation rights for the Greenplum end users. |
In this configuration, PXF accesses Hadoop as the Kerberos principal. A query initiated by any Greenplum user appears on the Hadoop side as originating from the Kerberos principal.
The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:
Impersonation | Service User | PXF Configuration | Hadoop Configuration |
---|---|---|---|
false | Identity of the Kerberos principal | Perform the Configuration Procedure in this topic, and then turn off user impersonation as described in Configure PXF User Impersonation. | None required. |
In this configuration, PXF accesses Hadoop as a <custom> user (for example, hive
). The Kerberos principal is the Hadoop proxy user. A query initiated by any Greenplum user appears on the Hadoop side as originating from the <custom> user.
The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:
Impersonation | Service User | PXF Configuration | Hadoop Configuration |
---|---|---|---|
false | <custom> | Perform the Configuration Procedure in this topic, turn off user impersonation as described in Configure PXF User Impersonation, and Configure the Hadoop User to the <custom> user name. | Set the Kerberos principal as the Hadoop proxy user as described in Configure Hadoop Proxying. |
Note: PXF does not support accessing a Kerberos-secured Hadoop cluster with a <custom> user impersonating Greenplum users. PXF requires that you impersonate Greenplum users using the Kerberos principal.
In this configuration, PXF uses Kerberos constrained delegation to request and obtain a ticket on behalf of a <custom> user, and uses the ticket to access Hadoop.
The following table identifies the impersonation and service user settings, and the PXF and directory service configuration required for this use case; no Hadoop configuration is required:
Impersonation | Service User | PXF Configuration | AD/IPA Config |
---|---|---|---|
false | <custom> | Set up the PXF Kerberos principal, keytab files, and related settings in pxf-site.xml as described in the Configuration Procedure in this topic, deactivate impersonation as described in Configure PXF User Impersonation, Activate Kerberos Constrained Delegation, and Configure the Hadoop User to the <custom> user name. |
Configure AD or IPA to provide the PXF Kerberos principal with the delegation rights for the <custom> user name. |
There are different procedures for configuring PXF for secure HDFS with a Microsoft Active Directory KDC Server vs. with an MIT Kerberos KDC Server.
When you configure PXF for secure HDFS using an AD Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.
Perform the following steps to configure the Active Directory domain controller:
ServiceGreenplumPROD1
, and change the login name to gpadmin
. Note that the login name should be in compliance with POSIX standard and match hadoop.proxyuser.<name>.hosts/groups
in the Hadoop core-site.xml
and the Kerberos principal.Open Powershell or a command prompt and run the ktpass
command to generate the keytab file. For example:
powershell#>ktpass -out pxf.service.keytab -princ [email protected] -mapUser ServiceGreenplumPROD1 -pass ******* -crypto all -ptype KRB5_NT_PRINCIPAL
With Active Directory, the principal and the keytab file are shared by all Greenplum Database hosts.
Copy the pxf.service.keytab
file to the Greenplum master host.
Perform the following procedure on the Greenplum Database master host:
Log in to the Greenplum Database master host. For example:
$ ssh gpadmin@<gpmaster>
Identify the name of the PXF Hadoop server configuration, and navigate to the server configuration directory. For example, if the server is named hdp3
:
gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
If the server configuration does not yet include a pxf-site.xml
file, copy the template file to the directory. For example:
gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
Open the pxf-site.xml
file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. For example:
<property>
<name>pxf.service.kerberos.principal</name>
<value>[email protected]</value>
</property>
<property>
<name>pxf.service.kerberos.keytab</name>
<value>${pxf.conf}/keytabs/pxf.service.keytab</value>
</property>
Save the file and exit the editor.
Synchronize the keytabs in $PXF_BASE
. You must distribute the keytab file to $PXF_BASE/keytabs/
. Locate the keytab file, copy the file to the $PXF_BASE
runtime configuration directory, and set required permissions. For example:
gpadmin@gpmaster$ gpscp -f hostfile_all pxf.service.keytab =:$PXF_BASE/keytabs/
gpadmin@gpmaster$ gpssh -f hostfile_all chmod 400 $PXF_BASE/keytabs/pxf.service.keytab
Complete the PXF Configuration based on your chosen Hadoop access scenario.
When you configure PXF for secure HDFS using an MIT Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.
Perform the following steps on the MIT Kerberos KDC server host:
Log in to the Kerberos KDC server as the root
user.
$ ssh root@<kdc-server>
root@kdc-server$
Distribute the /etc/krb5.conf
Kerberos configuration file on the KDC server host to each host in your Greenplum Database cluster if not already present. For example:
root@kdc-server$ scp /etc/krb5.conf <gphost>:/etc/krb5.conf
Use the kadmin.local
command to create a Kerberos PXF Service principal for each Greenplum Database host. The service principal should be of the form gpadmin/<gphost>@<realm>
where <gphost> is the DNS resolvable, fully-qualified hostname of the host system (output of the hostname -f
command).
For example, these commands create Kerberos PXF Service principals for the hosts named host1.example.com, host2.example.com, and host3.example.com in the Kerberos realm named EXAMPLE.COM
:
root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/[email protected]"
root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/[email protected]"
root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/[email protected]"
Generate a keytab file for each PXF Service principal that you created in the previous step. Save the keytab files in any convenient location (this example uses the directory /etc/security/keytabs
). You will deploy the keytab files to their respective Greenplum Database host machines in a later step. For example:
root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host1.service.keytab gpadmin/[email protected]"
root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host2.service.keytab gpadmin/[email protected]"
root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host3.service.keytab gpadmin/[email protected]"
Repeat the xst
command as necessary to generate a keytab for each PXF Service principal that you created in the previous step.
List the principals. For example:
root@kdc-server$ kadmin.local -q "listprincs"
Copy the keytab file for each PXF Service principal to its respective host. For example, the following commands copy each principal generated in step 4 to the PXF default keytab directory on the host when PXF_BASE=/usr/local/pxf-gp6
:
root@kdc-server$ scp /etc/security/keytabs/pxf-host1.service.keytab host1.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ scp /etc/security/keytabs/pxf-host2.service.keytab host2.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ scp /etc/security/keytabs/pxf-host3.service.keytab host3.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
Note the file system location of the keytab file on each PXF host; you will need this information for a later configuration step.
Change the ownership and permissions on the pxf.service.keytab
files. The files must be owned and readable by only the gpadmin
user. For example:
root@kdc-server$ ssh host1.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ ssh host1.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ ssh host2.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ ssh host2.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ ssh host3.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
root@kdc-server$ ssh host3.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
Perform the following steps on the Greenplum Database master host:
Log in to the master host. For example:
$ ssh gpadmin@<gpmaster>
Identify the name of the PXF Hadoop server configuration that requires Kerberos access.
Navigate to the server configuration directory. For example, if the server is named hdp3
:
gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
If the server configuration does not yet include a pxf-site.xml
file, copy the template file to the directory. For example:
gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
Open the pxf-site.xml
file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. The default values for these settings are identified below:
<property>
<name>pxf.service.kerberos.principal</name>
<value>gpadmin/[email protected]</value>
</property>
<property>
<name>pxf.service.kerberos.keytab</name>
<value>${pxf.conf}/keytabs/pxf.service.keytab</value>
</property>
PXF automatically replaces _HOST
with the FQDN of the host.
Complete the PXF Configuration based on your chosen Hadoop access scenario.
On the Greenplum Database master host, complete the configuration of the PXF server based on your chosen Hadoop access scenario. Choose one, as these are mutually exclusive:
If you want to access Hadoop as the Greenplum Database user:
gpadmin/[email protected]
, configure proxying for the Hadoop user gpadmin
.If you want to access Hadoop using the identity of the Kerberos principal, deactivate user impersonation as described in Configure PXF User Impersonation.
If you want to access Hadoop as a custom user:
gpadmin/[email protected]
, configure proxying for the Hadoop user gpadmin
.Synchronize the PXF configuration to your Greenplum Database cluster:
gpadmin@gpmaster$ pxf cluster sync
By default, Kerberos constrained delegation is deactivated for PXF. Perform the following procedure to configure Kerberos constrained delegation for a PXF server:
Log in to your Greenplum Database master host as the administrative user:
$ ssh gpadmin@<gpmaster>
Identify the name of the Hadoop PXF server configuration that you want to update.
Navigate to the server configuration directory. For example, if the server is named hdp3
:
gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
If the server configuration does not yet include a pxf-site.xml
file, copy the template file to the directory. For example:
gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
Open the pxf-site.xml
file in the editor of your choice, locate the pxf.service.kerberos-constrained.delegation
property, and set it as follows:
<property>
<name>pxf.service.kerberos-constrained.delegation</name>
<value>true</value>
</property>
Save the pxf-site.xml
file and exit the editor.
Use the pxf cluster sync
command to synchronize the PXF Hadoop server configuration to your Greenplum Database cluster:
gpadmin@gpmaster$ pxf cluster sync