Home Verkennen Help
Registreren Inloggen
liuzhangxing
/
hadoop
geforked van apache/hadoop
1
0
Vork 0
Bestanden
Boom: 6338ce3ae8
Aftakkingen Labels
hadoop
/
hadoop-common-project
/
hadoop-common
/
src
/
site
/
apt
/
SecureMode.apt.vm

SecureMode.apt.vm 36 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689 
  1. ~~ Licensed under the Apache License, Version 2.0 (the "License");
    2. 

  2. ~~ you may not use this file except in compliance with the License.
    3. 

  3. ~~ You may obtain a copy of the License at
    4. 

  4. ~~
    5. 

  5. ~~   http://www.apache.org/licenses/LICENSE-2.0
    6. 

  6. ~~
    7. 

  7. ~~ Unless required by applicable law or agreed to in writing, software
    8. 

  8. ~~ distributed under the License is distributed on an "AS IS" BASIS,
    9. 

  9. ~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    10. 

  10. ~~ See the License for the specific language governing permissions and
    11. 

  11. ~~ limitations under the License. See accompanying LICENSE file.
    12. 

  12. 

  13.   ---
    14. 

  14.   Hadoop in Secure Mode
    15. 

  15.   ---
    16. 

  16.   ---
    17. 

  17.   ${maven.build.timestamp}
    18. 

  18. 

  19. %{toc|section=0|fromDepth=0|toDepth=3}
    20. 

  20. 

  21. Hadoop in Secure Mode
    22. 

  22. 

  23. * Introduction
    24. 

  24. 

  25.   This document describes how to configure authentication for Hadoop in
    26. 

  26.   secure mode.
    27. 

  27. 

  28.   By default Hadoop runs in non-secure mode in which no actual
    29. 

  29.   authentication is required.
    30. 

  30.   By configuring Hadoop runs in secure mode,
    31. 

  31.   each user and service needs to be authenticated by Kerberos
    32. 

  32.   in order to use Hadoop services.
    33. 

  33. 

  34.   Security features of Hadoop consist of
    35. 

  35.   {{{Authentication}authentication}},
    36. 

  36.   {{{./ServiceLevelAuth.html}service level authorization}},
    37. 

  37.   {{{./HttpAuthentication.html}authentication for Web consoles}}
    38. 

  38.   and {{{Data confidentiality}data confidenciality}}.
    39. 

  39. 

  40. 

  41. * Authentication
    42. 

  42. 

  43. ** End User Accounts
    44. 

  44. 

  45.   When service level authentication is turned on,
    46. 

  46.   end users using Hadoop in secure mode needs to be authenticated by Kerberos.
    47. 

  47.   The simplest way to do authentication is using <<<kinit>>> command of Kerberos.
    48. 

  48. 

  49. ** User Accounts for Hadoop Daemons
    50. 

  50. 

  51.   Ensure that HDFS and YARN daemons run as different Unix users,
    52. 

  52.   e.g. <<<hdfs>>> and <<<yarn>>>.
    53. 

  53.   Also, ensure that the MapReduce JobHistory server runs as
    54. 

  54.   different user such as <<<mapred>>>.
    55. 

  55. 

  56.   It's recommended to have them share a Unix group, for e.g. <<<hadoop>>>.
    57. 

  57.   See also "{{Mapping from user to group}}" for group management.
    58. 

  58. 

  59. *---------------+----------------------------------------------------------------------+
    60. 

  60. || User:Group   || Daemons                                                             |
    61. 

  61. *---------------+----------------------------------------------------------------------+
    62. 

  62. | hdfs:hadoop   | NameNode, Secondary NameNode, JournalNode, DataNode                  |
    63. 

  63. *---------------+----------------------------------------------------------------------+
    64. 

  64. | yarn:hadoop   | ResourceManager, NodeManager                                         |
    65. 

  65. *---------------+----------------------------------------------------------------------+
    66. 

  66. | mapred:hadoop | MapReduce JobHistory Server                                          |
    67. 

  67. *---------------+----------------------------------------------------------------------+
    68. 

  68. 

  69. ** Kerberos principals for Hadoop Daemons and Users
    70. 

  70. 

  71.   For running hadoop service daemons in  Hadoop in secure mode,
    72. 

  72.   Kerberos principals are required.
    73. 

  73.   Each service reads auhenticate information saved in keytab file with appropriate permission.
    74. 

  74. 

  75.   HTTP web-consoles should be served by principal different from RPC's one.
    76. 

  76. 

  77.   Subsections below shows the examples of credentials for Hadoop services.
    78. 

  78. 

  79. *** HDFS
    80. 

  80. 

  81.     The NameNode keytab file, on the NameNode host, should look like the
    82. 

  82.     following:
    83. 

  83. 

  84. ----
    85. 

  85. $ klist -e -k -t /etc/security/keytab/nn.service.keytab
    86. 

  86. Keytab name: FILE:/etc/security/keytab/nn.service.keytab
    87. 

  87. KVNO Timestamp         Principal
    88. 

  88.    4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    89. 

  89.    4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    90. 

  90.    4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    91. 

  91.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    92. 

  92.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    93. 

  93.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    94. 

  94. ----
    95. 

  95. 

  96.     The Secondary NameNode keytab file, on that host, should look like the
    97. 

  97.     following:
    98. 

  98. 

  99. ----
    100. 

  100. $ klist -e -k -t /etc/security/keytab/sn.service.keytab
    101. 

  101. Keytab name: FILE:/etc/security/keytab/sn.service.keytab
    102. 

  102. KVNO Timestamp         Principal
    103. 

  103.    4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    104. 

  104.    4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    105. 

  105.    4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    106. 

  106.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    107. 

  107.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    108. 

  108.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    109. 

  109. ----
    110. 

  110. 

  111.     The DataNode keytab file, on each host, should look like the following:
    112. 

  112. 

  113. ----
    114. 

  114. $ klist -e -k -t /etc/security/keytab/dn.service.keytab
    115. 

  115. Keytab name: FILE:/etc/security/keytab/dn.service.keytab
    116. 

  116. KVNO Timestamp         Principal
    117. 

  117.    4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    118. 

  118.    4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    119. 

  119.    4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    120. 

  120.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    121. 

  121.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    122. 

  122.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    123. 

  123. ----
    124. 

  124. 

  125. *** YARN
    126. 

  126. 

  127.     The ResourceManager keytab file, on the ResourceManager host, should look
    128. 

  128.     like the following:
    129. 

  129. 

  130. ----
    131. 

  131. $ klist -e -k -t /etc/security/keytab/rm.service.keytab
    132. 

  132. Keytab name: FILE:/etc/security/keytab/rm.service.keytab
    133. 

  133. KVNO Timestamp         Principal
    134. 

  134.    4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    135. 

  135.    4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    136. 

  136.    4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    137. 

  137.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    138. 

  138.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    139. 

  139.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    140. 

  140. ----
    141. 

  141. 

  142.     The NodeManager keytab file, on each host, should look like the following:
    143. 

  143. 

  144. ----
    145. 

  145. $ klist -e -k -t /etc/security/keytab/nm.service.keytab
    146. 

  146. Keytab name: FILE:/etc/security/keytab/nm.service.keytab
    147. 

  147. KVNO Timestamp         Principal
    148. 

  148.    4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    149. 

  149.    4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    150. 

  150.    4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    151. 

  151.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    152. 

  152.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    153. 

  153.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    154. 

  154. ----
    155. 

  155. 

  156. *** MapReduce JobHistory Server
    157. 

  157. 

  158.     The MapReduce JobHistory Server keytab file, on that host, should look
    159. 

  159.     like the following:
    160. 

  160. 

  161. ----
    162. 

  162. $ klist -e -k -t /etc/security/keytab/jhs.service.keytab
    163. 

  163. Keytab name: FILE:/etc/security/keytab/jhs.service.keytab
    164. 

  164. KVNO Timestamp         Principal
    165. 

  165.    4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    166. 

  166.    4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    167. 

  167.    4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    168. 

  168.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
    169. 

  169.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
    170. 

  170.    4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
    171. 

  171. ----
    172. 

  172. 

  173. ** Mapping from Kerberos principal to OS user account
    174. 

  174. 

  175.   Hadoop maps Kerberos principal to OS user account using
    176. 

  176.   the rule specified by <<<hadoop.security.auth_to_local>>>
    177. 

  177.   which works in the same way as the <<<auth_to_local>>> in
    178. 

  178.   {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos configuration file (krb5.conf)}}.
    179. 

  179.   In addition, Hadoop <<<auth_to_local>>> mapping supports the <</L>> flag that
    180. 

  180.   lowercases the returned name.
    181. 

  181. 

  182.   By default, it picks the first component of principal name as a user name
    183. 

  183.   if the realms matches to the <<<default_realm>>> (usually defined in /etc/krb5.conf).
    184. 

  184.   For example, <<<host/full.qualified.domain.name@REALM.TLD>>> is mapped to <<<host>>>
    185. 

  185.   by default rule.
    186. 

  186. 

  187. ** Mapping from user to group
    188. 

  188. 

  189.   Though files on HDFS are associated to owner and group,
    190. 

  190.   Hadoop does not have the definition of group by itself.
    191. 

  191.   Mapping from user to group is done by OS or LDAP.
    192. 

  192. 

  193.   You can change a way of mapping by
    194. 

  194.   specifying the name of mapping provider as a value of
    195. 

  195.   <<<hadoop.security.group.mapping>>>
    196. 

  196.   See {{{../hadoop-hdfs/HdfsPermissionsGuide.html}HDFS Permissions Guide}} for details.
    197. 

  197. 

  198.   Practically you need to manage SSO environment using Kerberos with LDAP
    199. 

  199.   for Hadoop in secure mode.
    200. 

  200. 

  201. ** Proxy user
    202. 

  202. 

  203.   Some products such as Apache Oozie which access the services of Hadoop
    204. 

  204.   on behalf of end users need to be able to impersonate end users.
    205. 

  205.   See {{{./Superusers.html}the doc of proxy user}} for details.
    206. 

  206. 

  207. ** Secure DataNode
    208. 

  208. 

  209.   Because the data transfer protocol of DataNode
    210. 

  210.   does not use the RPC framework of Hadoop,
    211. 

  211.   DataNode must authenticate itself by
    212. 

  212.   using privileged ports which are specified by
    213. 

  213.   <<<dfs.datanode.address>>> and <<<dfs.datanode.http.address>>>.
    214. 

  214.   This authentication is based on the assumption
    215. 

  215.   that the attacker won't be able to get root privileges.
    216. 

  216. 

  217.   When you execute <<<hdfs datanode>>> command as root,
    218. 

  218.   server process binds privileged port at first,
    219. 

  219.   then drops privilege and runs as the user account specified by
    220. 

  220.   <<<HADOOP_SECURE_DN_USER>>>.
    221. 

  221.   This startup process uses jsvc installed to <<<JSVC_HOME>>>.
    222. 

  222.   You must specify <<<HADOOP_SECURE_DN_USER>>> and <<<JSVC_HOME>>>
    223. 

  223.   as environment variables on start up (in hadoop-env.sh).
    224. 

  224. 

  225.   As of version 2.6.0, SASL can be used to authenticate the data transfer
    226. 

  226.   protocol.  In this configuration, it is no longer required for secured clusters
    227. 

  227.   to start the DataNode as root using jsvc and bind to privileged ports.  To
    228. 

  228.   enable SASL on data transfer protocol, set <<<dfs.data.transfer.protection>>>
    229. 

  229.   in hdfs-site.xml, set a non-privileged port for <<<dfs.datanode.address>>>, set
    230. 

  230.   <<<dfs.http.policy>>> to <HTTPS_ONLY> and make sure the
    231. 

  231.   <<<HADOOP_SECURE_DN_USER>>> environment variable is not defined.  Note that it
    232. 

  232.   is not possible to use SASL on data transfer protocol if
    233. 

  233.   <<<dfs.datanode.address>>> is set to a privileged port.  This is required for
    234. 

  234.   backwards-compatibility reasons.
    235. 

  235. 

  236.   In order to migrate an existing cluster that used root authentication to start
    237. 

  237.   using SASL instead, first ensure that version 2.6.0 or later has been deployed
    238. 

  238.   to all cluster nodes as well as any external applications that need to connect
    239. 

  239.   to the cluster.  Only versions 2.6.0 and later of the HDFS client can connect
    240. 

  240.   to a DataNode that uses SASL for authentication of data transfer protocol, so
    241. 

  241.   it is vital that all callers have the correct version before migrating.  After
    242. 

  242.   version 2.6.0 or later has been deployed everywhere, update configuration of
    243. 

  243.   any external applications to enable SASL.  If an HDFS client is enabled for
    244. 

  244.   SASL, then it can connect successfully to a DataNode running with either root
    245. 

  245.   authentication or SASL authentication.  Changing configuration for all clients
    246. 

  246.   guarantees that subsequent configuration changes on DataNodes will not disrupt
    247. 

  247.   the applications.  Finally, each individual DataNode can be migrated by
    248. 

  248.   changing its configuration and restarting.  It is acceptable to have a mix of
    249. 

  249.   some DataNodes running with root authentication and some DataNodes running with
    250. 

  250.   SASL authentication temporarily during this migration period, because an HDFS
    251. 

  251.   client enabled for SASL can connect to both.
    252. 

  252. 

  253. * Data confidentiality
    254. 

  254. 

  255. ** Data Encryption on RPC
    256. 

  256. 

  257.   The data transfered between hadoop services and clients.
    258. 

  258.   Setting <<<hadoop.rpc.protection>>> to <<<"privacy">>> in the core-site.xml
    259. 

  259.   activate data encryption.
    260. 

  260. 

  261. ** Data Encryption on Block data transfer.
    262. 

  262. 

  263.   You need to set <<<dfs.encrypt.data.transfer>>> to <<<"true">>> in the hdfs-site.xml
    264. 

  264.   in order to activate data encryption for data transfer protocol of DataNode.
    265. 

  265. 

  266.   Optionally, you may set <<<dfs.encrypt.data.transfer.algorithm>>> to either
    267. 

  267.   "3des" or "rc4" to choose the specific encryption algorithm.  If unspecified,
    268. 

  268.   then the configured JCE default on the system is used, which is usually 3DES.
    269. 

  269. 

  270.   Setting <<<dfs.encrypt.data.transfer.cipher.suites>>> to
    271. 

  271.   <<<AES/CTR/NoPadding>>> activates AES encryption.  By default, this is
    272. 

  272.   unspecified, so AES is not used.  When AES is used, the algorithm specified in
    273. 

  273.   <<<dfs.encrypt.data.transfer.algorithm>>> is still used during an initial key
    274. 

  274.   exchange.  The AES key bit length can be configured by setting
    275. 

  275.   <<<dfs.encrypt.data.transfer.cipher.key.bitlength>>> to 128, 192 or 256.  The
    276. 

  276.   default is 128.
    277. 

  277. 

  278.   AES offers the greatest cryptographic strength and the best performance.  At
    279. 

  279.   this time, 3DES and RC4 have been used more often in Hadoop clusters.
    280. 

  280. 

  281. ** Data Encryption on HTTP
    282. 

  282. 

  283.   Data transfer between Web-console and clients are protected by using SSL(HTTPS).
    284. 

  284. 

  285. 

  286. * Configuration
    287. 

  287. 

  288. ** Permissions for both HDFS and local fileSystem paths
    289. 

  289. 

  290.   The following table lists various paths on HDFS and local filesystems (on
    291. 

  291.   all nodes) and recommended permissions:
    292. 

  292. 

  293. *-------------------+-------------------+------------------+------------------+
    294. 

  294. || Filesystem       || Path             || User:Group      || Permissions     |
    295. 

  295. *-------------------+-------------------+------------------+------------------+
    296. 

  296. | local | <<<dfs.namenode.name.dir>>> | hdfs:hadoop | drwx------ |
    297. 

  297. *-------------------+-------------------+------------------+------------------+
    298. 

  298. | local | <<<dfs.datanode.data.dir>>> | hdfs:hadoop | drwx------ |
    299. 

  299. *-------------------+-------------------+------------------+------------------+
    300. 

  300. | local | $HADOOP_LOG_DIR | hdfs:hadoop | drwxrwxr-x |
    301. 

  301. *-------------------+-------------------+------------------+------------------+
    302. 

  302. | local | $YARN_LOG_DIR | yarn:hadoop | drwxrwxr-x |
    303. 

  303. *-------------------+-------------------+------------------+------------------+
    304. 

  304. | local | <<<yarn.nodemanager.local-dirs>>> | yarn:hadoop | drwxr-xr-x |
    305. 

  305. *-------------------+-------------------+------------------+------------------+
    306. 

  306. | local | <<<yarn.nodemanager.log-dirs>>> | yarn:hadoop | drwxr-xr-x |
    307. 

  307. *-------------------+-------------------+------------------+------------------+
    308. 

  308. | local | container-executor | root:hadoop | --Sr-s--- |
    309. 

  309. *-------------------+-------------------+------------------+------------------+
    310. 

  310. | local | <<<conf/container-executor.cfg>>> | root:hadoop | r-------- |
    311. 

  311. *-------------------+-------------------+------------------+------------------+
    312. 

  312. | hdfs | / | hdfs:hadoop | drwxr-xr-x |
    313. 

  313. *-------------------+-------------------+------------------+------------------+
    314. 

  314. | hdfs | /tmp | hdfs:hadoop | drwxrwxrwxt |
    315. 

  315. *-------------------+-------------------+------------------+------------------+
    316. 

  316. | hdfs | /user | hdfs:hadoop | drwxr-xr-x |
    317. 

  317. *-------------------+-------------------+------------------+------------------+
    318. 

  318. | hdfs | <<<yarn.nodemanager.remote-app-log-dir>>> | yarn:hadoop | drwxrwxrwxt |
    319. 

  319. *-------------------+-------------------+------------------+------------------+
    320. 

  320. | hdfs | <<<mapreduce.jobhistory.intermediate-done-dir>>> | mapred:hadoop | |
    321. 

  321. | | | | drwxrwxrwxt |
    322. 

  322. *-------------------+-------------------+------------------+------------------+
    323. 

  323. | hdfs | <<<mapreduce.jobhistory.done-dir>>> | mapred:hadoop | |
    324. 

  324. | | | | drwxr-x--- |
    325. 

  325. *-------------------+-------------------+------------------+------------------+
    326. 

  326. 

  327. ** Common Configurations
    328. 

  328. 

  329.   In order to turn on RPC authentication in hadoop,
    330. 

  330.   set the value of <<<hadoop.security.authentication>>> property to
    331. 

  331.   <<<"kerberos">>>, and set security related settings listed below appropriately.
    332. 

  332. 

  333.   The following properties should be in the <<<core-site.xml>>> of all the
    334. 

  334.   nodes in the cluster.
    335. 

  335. 

  336. *-------------------------+-------------------------+------------------------+
    337. 

  337. || Parameter              || Value                  || Notes                 |
    338. 

  338. *-------------------------+-------------------------+------------------------+
    339. 

  339. | <<<hadoop.security.authentication>>> | <kerberos> | |
    340. 

  340. | | | <<<simple>>> : No authentication. (default) \
    341. 

  341. | | | <<<kerberos>>> : Enable authentication by Kerberos. |
    342. 

  342. *-------------------------+-------------------------+------------------------+
    343. 

  343. | <<<hadoop.security.authorization>>> | <true> | |
    344. 

  344. | | | Enable {{{./ServiceLevelAuth.html}RPC service-level authorization}}. |
    345. 

  345. *-------------------------+-------------------------+------------------------+
    346. 

  346. | <<<hadoop.rpc.protection>>> | <authentication> |
    347. 

  347. | | | <authentication> : authentication only (default) \
    348. 

  348. | | | <integrity> : integrity check in addition to authentication \
    349. 

  349. | | | <privacy> : data encryption in addition to integrity |
    350. 

  350. *-------------------------+-------------------------+------------------------+
    351. 

  351. | <<<hadoop.security.auth_to_local>>> | | |
    352. 

  352. | |  <<<RULE:>>><exp1>\
    353. 

  353. | |  <<<RULE:>>><exp2>\
    354. 

  354. | |  <...>\
    355. 

  355. | |  DEFAULT |
    356. 

  356. | | | The value is string containing new line characters.
    357. 

  357. | | | See
    358. 

  358. | | | {{{http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html}Kerberos documentation}}
    359. 

  359. | | | for format for <exp>.
    360. 

  360. *-------------------------+-------------------------+------------------------+
    361. 

  361. | <<<hadoop.proxyuser.>>><superuser><<<.hosts>>> | | |
    362. 

  362. | | | comma separated hosts from which <superuser> access are allowd to impersonation. |
    363. 

  363. | | | <<<*>>> means wildcard. |
    364. 

  364. *-------------------------+-------------------------+------------------------+
    365. 

  365. | <<<hadoop.proxyuser.>>><superuser><<<.groups>>> | | |
    366. 

  366. | | | comma separated groups to which users impersonated by <superuser> belongs. |
    367. 

  367. | | | <<<*>>> means wildcard. |
    368. 

  368. *-------------------------+-------------------------+------------------------+
    369. 

  369. Configuration for <<<conf/core-site.xml>>>
    370. 

  370. 

  371. **  NameNode
    372. 

  372. 

  373. *-------------------------+-------------------------+------------------------+
    374. 

  374. || Parameter              || Value                  || Notes                 |
    375. 

  375. *-------------------------+-------------------------+------------------------+
    376. 

  376. | <<<dfs.block.access.token.enable>>> | <true> |  |
    377. 

  377. | | | Enable HDFS block access tokens for secure operations. |
    378. 

  378. *-------------------------+-------------------------+------------------------+
    379. 

  379. | <<<dfs.https.enable>>> | <true> | |
    380. 

  380. | | | This value is deprecated. Use dfs.http.policy |
    381. 

  381. *-------------------------+-------------------------+------------------------+
    382. 

  382. | <<<dfs.http.policy>>> | <HTTP_ONLY> or <HTTPS_ONLY> or <HTTP_AND_HTTPS> | |
    383. 

  383. | | | HTTPS_ONLY turns off http access. This option takes precedence over |
    384. 

  384. | | | the deprecated configuration dfs.https.enable and hadoop.ssl.enabled. |
    385. 

  385. | | | If using SASL to authenticate data transfer protocol instead of |
    386. 

  386. | | | running DataNode as root and using privileged ports, then this property |
    387. 

  387. | | | must be set to <HTTPS_ONLY> to guarantee authentication of HTTP servers. |
    388. 

  388. | | | (See <<<dfs.data.transfer.protection>>>.)  |
    389. 

  389. *-------------------------+-------------------------+------------------------+
    390. 

  390. | <<<dfs.namenode.https-address>>> | <nn_host_fqdn:50470> | |
    391. 

  391. *-------------------------+-------------------------+------------------------+
    392. 

  392. | <<<dfs.https.port>>> | <50470> | |
    393. 

  393. *-------------------------+-------------------------+------------------------+
    394. 

  394. | <<<dfs.namenode.keytab.file>>> | </etc/security/keytab/nn.service.keytab> | |
    395. 

  395. | | | Kerberos keytab file for the NameNode. |
    396. 

  396. *-------------------------+-------------------------+------------------------+
    397. 

  397. | <<<dfs.namenode.kerberos.principal>>> | nn/_HOST@REALM.TLD | |
    398. 

  398. | | | Kerberos principal name for the NameNode. |
    399. 

  399. *-------------------------+-------------------------+------------------------+
    400. 

  400. | <<<dfs.namenode.kerberos.internal.spnego.principal>>> | HTTP/_HOST@REALM.TLD | |
    401. 

  401. | | | HTTP Kerberos principal name for the NameNode. |
    402. 

  402. *-------------------------+-------------------------+------------------------+
    403. 

  403. Configuration for <<<conf/hdfs-site.xml>>>
    404. 

  404. 

  405. **  Secondary NameNode
    406. 

  406. 

  407. *-------------------------+-------------------------+------------------------+
    408. 

  408. || Parameter              || Value                  || Notes                 |
    409. 

  409. *-------------------------+-------------------------+------------------------+
    410. 

  410. | <<<dfs.namenode.secondary.http-address>>> | <c_nn_host_fqdn:50090> | |
    411. 

  411. *-------------------------+-------------------------+------------------------+
    412. 

  412. | <<<dfs.namenode.secondary.https-port>>> | <50470> | |
    413. 

  413. *-------------------------+-------------------------+------------------------+
    414. 

  414. | <<<dfs.secondary.namenode.keytab.file>>> | | |
    415. 

  415. | | </etc/security/keytab/sn.service.keytab> | |
    416. 

  416. | | | Kerberos keytab file for the Secondary NameNode. |
    417. 

  417. *-------------------------+-------------------------+------------------------+
    418. 

  418. | <<<dfs.secondary.namenode.kerberos.principal>>> | sn/_HOST@REALM.TLD | |
    419. 

  419. | | | Kerberos principal name for the Secondary NameNode. |
    420. 

  420. *-------------------------+-------------------------+------------------------+
    421. 

  421. | <<<dfs.secondary.namenode.kerberos.internal.spnego.principal>>> | | |
    422. 

  422. | | HTTP/_HOST@REALM.TLD | |
    423. 

  423. | | | HTTP Kerberos principal name for the Secondary NameNode. |
    424. 

  424. *-------------------------+-------------------------+------------------------+
    425. 

  425. Configuration for <<<conf/hdfs-site.xml>>>
    426. 

  426. 

  427. ** DataNode
    428. 

  428. 

  429. *-------------------------+-------------------------+------------------------+
    430. 

  430. || Parameter              || Value                  || Notes                 |
    431. 

  431. *-------------------------+-------------------------+------------------------+
    432. 

  432. | <<<dfs.datanode.data.dir.perm>>> | 700 | |
    433. 

  433. *-------------------------+-------------------------+------------------------+
    434. 

  434. | <<<dfs.datanode.address>>> | <0.0.0.0:1004> | |
    435. 

  435. | | | Secure DataNode must use privileged port |
    436. 

  436. | | | in order to assure that the server was started securely. |
    437. 

  437. | | | This means that the server must be started via jsvc. |
    438. 

  438. | | | Alternatively, this must be set to a non-privileged port if using SASL |
    439. 

  439. | | | to authenticate data transfer protocol. |
    440. 

  440. | | | (See <<<dfs.data.transfer.protection>>>.)  |
    441. 

  441. *-------------------------+-------------------------+------------------------+
    442. 

  442. | <<<dfs.datanode.http.address>>> | <0.0.0.0:1006> | |
    443. 

  443. | | | Secure DataNode must use privileged port |
    444. 

  444. | | | in order to assure that the server was started securely. |
    445. 

  445. | | | This means that the server must be started via jsvc. |
    446. 

  446. *-------------------------+-------------------------+------------------------+
    447. 

  447. | <<<dfs.datanode.https.address>>> | <0.0.0.0:50470> | |
    448. 

  448. *-------------------------+-------------------------+------------------------+
    449. 

  449. | <<<dfs.datanode.keytab.file>>> | </etc/security/keytab/dn.service.keytab> | |
    450. 

  450. | | | Kerberos keytab file for the DataNode. |
    451. 

  451. *-------------------------+-------------------------+------------------------+
    452. 

  452. | <<<dfs.datanode.kerberos.principal>>> | dn/_HOST@REALM.TLD | |
    453. 

  453. | | | Kerberos principal name for the DataNode. |
    454. 

  454. *-------------------------+-------------------------+------------------------+
    455. 

  455. | <<<dfs.encrypt.data.transfer>>> | <false> | |
    456. 

  456. | | | set to <<<true>>> when using data encryption |
    457. 

  457. *-------------------------+-------------------------+------------------------+
    458. 

  458. | <<<dfs.encrypt.data.transfer.algorithm>>> | | |
    459. 

  459. | | | optionally set to <<<3des>>> or <<<rc4>>> when using data encryption to |
    460. 

  460. | | | control encryption algorithm |
    461. 

  461. *-------------------------+-------------------------+------------------------+
    462. 

  462. | <<<dfs.encrypt.data.transfer.cipher.suites>>> | | |
    463. 

  463. | | | optionally set to <<<AES/CTR/NoPadding>>> to activate AES encryption    |
    464. 

  464. | | | when using data encryption |
    465. 

  465. *-------------------------+-------------------------+------------------------+
    466. 

  466. | <<<dfs.encrypt.data.transfer.cipher.key.bitlength>>> | | |
    467. 

  467. | | | optionally set to <<<128>>>, <<<192>>> or <<<256>>> to control key bit  |
    468. 

  468. | | | length when using AES with data encryption |
    469. 

  469. *-------------------------+-------------------------+------------------------+
    470. 

  470. | <<<dfs.data.transfer.protection>>> | | |
    471. 

  471. | | | <authentication> : authentication only \
    472. 

  472. | | | <integrity> : integrity check in addition to authentication \
    473. 

  473. | | | <privacy> : data encryption in addition to integrity |
    474. 

  474. | | | This property is unspecified by default.  Setting this property enables |
    475. 

  475. | | | SASL for authentication of data transfer protocol.  If this is enabled, |
    476. 

  476. | | | then <<<dfs.datanode.address>>> must use a non-privileged port, |
    477. 

  477. | | | <<<dfs.http.policy>>> must be set to <HTTPS_ONLY> and the |
    478. 

  478. | | | <<<HADOOP_SECURE_DN_USER>>> environment variable must be undefined when |
    479. 

  479. | | | starting the DataNode process. |
    480. 

  480. *-------------------------+-------------------------+------------------------+
    481. 

  481. Configuration for <<<conf/hdfs-site.xml>>>
    482. 

  482. 

  483. 

  484. ** WebHDFS
    485. 

  485. 

  486. *-------------------------+-------------------------+------------------------+
    487. 

  487. || Parameter              || Value                  || Notes                 |
    488. 

  488. *-------------------------+-------------------------+------------------------+
    489. 

  489. | <<<dfs.web.authentication.kerberos.principal>>> | http/_HOST@REALM.TLD | |
    490. 

  490. | | | Kerberos keytab file for the WebHDFS. |
    491. 

  491. *-------------------------+-------------------------+------------------------+
    492. 

  492. | <<<dfs.web.authentication.kerberos.keytab>>> | </etc/security/keytab/http.service.keytab> | |
    493. 

  493. | | | Kerberos principal name for WebHDFS. |
    494. 

  494. *-------------------------+-------------------------+------------------------+
    495. 

  495. Configuration for <<<conf/hdfs-site.xml>>>
    496. 

  496. 

  497. 

  498. ** ResourceManager
    499. 

  499. 

  500. *-------------------------+-------------------------+------------------------+
    501. 

  501. || Parameter              || Value                  || Notes                 |
    502. 

  502. *-------------------------+-------------------------+------------------------+
    503. 

  503. | <<<yarn.resourcemanager.keytab>>> | | |
    504. 

  504. | | </etc/security/keytab/rm.service.keytab> | |
    505. 

  505. | | | Kerberos keytab file for the ResourceManager. |
    506. 

  506. *-------------------------+-------------------------+------------------------+
    507. 

  507. | <<<yarn.resourcemanager.principal>>> | rm/_HOST@REALM.TLD | |
    508. 

  508. | | | Kerberos principal name for the ResourceManager. |
    509. 

  509. *-------------------------+-------------------------+------------------------+
    510. 

  510. Configuration for  <<<conf/yarn-site.xml>>>
    511. 

  511. 

  512. **  NodeManager
    513. 

  513. 

  514. *-------------------------+-------------------------+------------------------+
    515. 

  515. || Parameter              || Value                  || Notes                 |
    516. 

  516. *-------------------------+-------------------------+------------------------+
    517. 

  517. | <<<yarn.nodemanager.keytab>>> | </etc/security/keytab/nm.service.keytab> | |
    518. 

  518. | | | Kerberos keytab file for the NodeManager. |
    519. 

  519. *-------------------------+-------------------------+------------------------+
    520. 

  520. | <<<yarn.nodemanager.principal>>> | nm/_HOST@REALM.TLD | |
    521. 

  521. | | | Kerberos principal name for the NodeManager. |
    522. 

  522. *-------------------------+-------------------------+------------------------+
    523. 

  523. | <<<yarn.nodemanager.container-executor.class>>> | | |
    524. 

  524. | | <<<org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor>>> |
    525. 

  525. | | | Use LinuxContainerExecutor. |
    526. 

  526. *-------------------------+-------------------------+------------------------+
    527. 

  527. | <<<yarn.nodemanager.linux-container-executor.group>>> | <hadoop> | |
    528. 

  528. | | | Unix group of the NodeManager. |
    529. 

  529. *-------------------------+-------------------------+------------------------+
    530. 

  530. | <<<yarn.nodemanager.linux-container-executor.path>>> | </path/to/bin/container-executor> | |
    531. 

  531. | | | The path to the executable of Linux container executor. |
    532. 

  532. *-------------------------+-------------------------+------------------------+
    533. 

  533. Configuration for  <<<conf/yarn-site.xml>>>
    534. 

  534. 

  535. ** Configuration for WebAppProxy
    536. 

  536. 

  537.     The <<<WebAppProxy>>> provides a proxy between the web applications
    538. 

  538.     exported by an application and an end user.  If security is enabled
    539. 

  539.     it will warn users before accessing a potentially unsafe web application.
    540. 

  540.     Authentication and authorization using the proxy is handled just like
    541. 

  541.     any other privileged web application.
    542. 

  542. 

  543. *-------------------------+-------------------------+------------------------+
    544. 

  544. || Parameter              || Value                  || Notes                 |
    545. 

  545. *-------------------------+-------------------------+------------------------+
    546. 

  546. | <<<yarn.web-proxy.address>>> | | |
    547. 

  547. | | <<<WebAppProxy>>> host:port for proxy to AM web apps. | |
    548. 

  548. | | | <host:port> if this is the same as <<<yarn.resourcemanager.webapp.address>>>|
    549. 

  549. | | | or it is not defined then the <<<ResourceManager>>> will run the proxy|
    550. 

  550. | | | otherwise a standalone proxy server will need to be launched.|
    551. 

  551. *-------------------------+-------------------------+------------------------+
    552. 

  552. | <<<yarn.web-proxy.keytab>>> | | |
    553. 

  553. | | </etc/security/keytab/web-app.service.keytab> | |
    554. 

  554. | | | Kerberos keytab file for the WebAppProxy. |
    555. 

  555. *-------------------------+-------------------------+------------------------+
    556. 

  556. | <<<yarn.web-proxy.principal>>> | wap/_HOST@REALM.TLD | |
    557. 

  557. | | | Kerberos principal name for the WebAppProxy. |
    558. 

  558. *-------------------------+-------------------------+------------------------+
    559. 

  559. Configuration for  <<<conf/yarn-site.xml>>>
    560. 

  560. 

  561. ** LinuxContainerExecutor
    562. 

  562. 

  563.     A <<<ContainerExecutor>>> used by YARN framework which define how any
    564. 

  564.     <container> launched and controlled.
    565. 

  565. 

  566.     The following are the available in Hadoop YARN:
    567. 

  567. 

  568. *--------------------------------------+--------------------------------------+
    569. 

  569. || ContainerExecutor                   || Description                         |
    570. 

  570. *--------------------------------------+--------------------------------------+
    571. 

  571. | <<<DefaultContainerExecutor>>>             | |
    572. 

  572. | | The default executor which YARN uses to manage container execution. |
    573. 

  573. | | The container process has the same Unix user as the NodeManager.  |
    574. 

  574. *--------------------------------------+--------------------------------------+
    575. 

  575. | <<<LinuxContainerExecutor>>>               | |
    576. 

  576. | | Supported only on GNU/Linux, this executor runs the containers as either the |
    577. 

  577. | | YARN user who submitted the application (when full security is enabled) or |
    578. 

  578. | | as a dedicated user (defaults to nobody) when full security is not enabled. |
    579. 

  579. | | When full security is enabled, this executor requires all user accounts to be |
    580. 

  580. | | created on the cluster nodes where the containers are launched. It uses |
    581. 

  581. | | a <setuid> executable that is included in the Hadoop distribution. |
    582. 

  582. | | The NodeManager uses this executable to launch and kill containers. |
    583. 

  583. | | The setuid executable switches to the user who has submitted the |
    584. 

  584. | | application and launches or kills the containers. For maximum security, |
    585. 

  585. | | this executor sets up restricted permissions and user/group ownership of |
    586. 

  586. | | local files and directories used by the containers such as the shared |
    587. 

  587. | | objects, jars, intermediate files, log files etc. Particularly note that, |
    588. 

  588. | | because of this, except the application owner and NodeManager, no other |
    589. 

  589. | | user can access any of the local files/directories including those |
    590. 

  590. | | localized as part of the distributed cache. |
    591. 

  591. *--------------------------------------+--------------------------------------+
    592. 

  592. 

  593.     To build the LinuxContainerExecutor executable run:
    594. 

  594. 

  595. ----
    596. 

  596.  $ mvn package -Dcontainer-executor.conf.dir=/etc/hadoop/
    597. 

  597. ----
    598. 

  598. 

  599.     The path passed in <<<-Dcontainer-executor.conf.dir>>> should be the
    600. 

  600.     path on the cluster nodes where a configuration file for the setuid
    601. 

  601.     executable should be located. The executable should be installed in
    602. 

  602.     $HADOOP_YARN_HOME/bin.
    603. 

  603. 

  604.     The executable must have specific permissions: 6050 or --Sr-s---
    605. 

  605.     permissions user-owned by <root> (super-user) and group-owned by a
    606. 

  606.     special group (e.g. <<<hadoop>>>) of which the NodeManager Unix user is
    607. 

  607.     the group member and no ordinary application user is. If any application
    608. 

  608.     user belongs to this special group, security will be compromised. This
    609. 

  609.     special group name should be specified for the configuration property
    610. 

  610.     <<<yarn.nodemanager.linux-container-executor.group>>> in both
    611. 

  611.     <<<conf/yarn-site.xml>>> and <<<conf/container-executor.cfg>>>.
    612. 

  612. 

  613.     For example, let's say that the NodeManager is run as user <yarn> who is
    614. 

  614.     part of the groups users and <hadoop>, any of them being the primary group.
    615. 

  615.     Let also be that <users> has both <yarn> and another user
    616. 

  616.     (application submitter) <alice> as its members, and <alice> does not
    617. 

  617.     belong to <hadoop>. Going by the above description, the setuid/setgid
    618. 

  618.     executable should be set 6050 or --Sr-s--- with user-owner as <yarn> and
    619. 

  619.     group-owner as <hadoop> which has <yarn> as its member (and not <users>
    620. 

  620.     which has <alice> also as its member besides <yarn>).
    621. 

  621. 

  622.     The LinuxTaskController requires that paths including and leading up to
    623. 

  623.     the directories specified in <<<yarn.nodemanager.local-dirs>>> and
    624. 

  624.     <<<yarn.nodemanager.log-dirs>>> to be set 755 permissions as described
    625. 

  625.     above in the table on permissions on directories.
    626. 

  626. 

  627.       * <<<conf/container-executor.cfg>>>
    628. 

  628. 

  629.     The executable requires a configuration file called
    630. 

  630.     <<<container-executor.cfg>>> to be present in the configuration
    631. 

  631.     directory passed to the mvn target mentioned above.
    632. 

  632. 

  633.     The configuration file must be owned by the user running NodeManager
    634. 

  634.     (user <<<yarn>>> in the above example), group-owned by anyone and
    635. 

  635.     should have the permissions 0400 or r--------.
    636. 

  636. 

  637.     The executable requires following configuration items to be present
    638. 

  638.     in the <<<conf/container-executor.cfg>>> file. The items should be
    639. 

  639.     mentioned as simple key=value pairs, one per-line:
    640. 

  640. 

  641. *-------------------------+-------------------------+------------------------+
    642. 

  642. || Parameter              || Value                  || Notes                 |
    643. 

  643. *-------------------------+-------------------------+------------------------+
    644. 

  644. | <<<yarn.nodemanager.linux-container-executor.group>>> | <hadoop> | |
    645. 

  645. | | | Unix group of the NodeManager. The group owner of the |
    646. 

  646. | | |<container-executor> binary should be this group. Should be same as the |
    647. 

  647. | | | value with which the NodeManager is configured. This configuration is |
    648. 

  648. | | | required for validating the secure access of the <container-executor> |
    649. 

  649. | | | binary. |
    650. 

  650. *-------------------------+-------------------------+------------------------+
    651. 

  651. | <<<banned.users>>> | hdfs,yarn,mapred,bin | Banned users. |
    652. 

  652. *-------------------------+-------------------------+------------------------+
    653. 

  653. | <<<allowed.system.users>>> | foo,bar | Allowed system users. |
    654. 

  654. *-------------------------+-------------------------+------------------------+
    655. 

  655. | <<<min.user.id>>> | 1000 | Prevent other super-users. |
    656. 

  656. *-------------------------+-------------------------+------------------------+
    657. 

  657. Configuration for  <<<conf/yarn-site.xml>>>
    658. 

  658. 

  659.       To re-cap, here are the local file-sysytem permissions required for the
    660. 

  660.       various paths related to the <<<LinuxContainerExecutor>>>:
    661. 

  661. 

  662. *-------------------+-------------------+------------------+------------------+
    663. 

  663. || Filesystem       || Path             || User:Group      || Permissions     |
    664. 

  664. *-------------------+-------------------+------------------+------------------+
    665. 

  665. | local | container-executor | root:hadoop | --Sr-s--- |
    666. 

  666. *-------------------+-------------------+------------------+------------------+
    667. 

  667. | local | <<<conf/container-executor.cfg>>> | root:hadoop | r-------- |
    668. 

  668. *-------------------+-------------------+------------------+------------------+
    669. 

  669. | local | <<<yarn.nodemanager.local-dirs>>> | yarn:hadoop | drwxr-xr-x |
    670. 

  670. *-------------------+-------------------+------------------+------------------+
    671. 

  671. | local | <<<yarn.nodemanager.log-dirs>>> | yarn:hadoop | drwxr-xr-x |
    672. 

  672. *-------------------+-------------------+------------------+------------------+
    673. 

  673. 

  674. **  MapReduce JobHistory Server
    675. 

  675. 

  676. *-------------------------+-------------------------+------------------------+
    677. 

  677. || Parameter              || Value                  || Notes                 |
    678. 

  678. *-------------------------+-------------------------+------------------------+
    679. 

  679. | <<<mapreduce.jobhistory.address>>> | | |
    680. 

  680. | | MapReduce JobHistory Server <host:port> | Default port is 10020. |
    681. 

  681. *-------------------------+-------------------------+------------------------+
    682. 

  682. | <<<mapreduce.jobhistory.keytab>>> | |
    683. 

  683. | | </etc/security/keytab/jhs.service.keytab> | |
    684. 

  684. | | | Kerberos keytab file for the MapReduce JobHistory Server. |
    685. 

  685. *-------------------------+-------------------------+------------------------+
    686. 

  686. | <<<mapreduce.jobhistory.principal>>> | jhs/_HOST@REALM.TLD | |
    687. 

  687. | | | Kerberos principal name for the MapReduce JobHistory Server. |
    688. 

  688. *-------------------------+-------------------------+------------------------+
    689. 

  689. Configuration for  <<<conf/mapred-site.xml>>>
    690.