Previously, secure impersonation functioned by having a single super group user, the Datameer X service user, in the Hadoop environment impersonate all authenticated users set in Kerberos. Datameer's new secure impersonation method (Native Multi User) validates each individual user separately using the user's own Kerberos keytab.
Table of Contents
Setup Instructions for Secure Impersonation in Native Multi User Mode
First, create a user for your Datameer X installation. This user will be called the Datameer X service user. Unless otherwise stated, perform the next steps as this user.
Preparing Datameer X for startup using the command line
- Unzip Datameer on your Hadoop cluster in a folder of your choice as the Datameer X service user.
- Configure your MySQL database.
- Add the MySQL JDBC driver to
webapps/conductor/WEB-INF/lib/
. (E.g., for MySQL 5.7.19 you can use "mysql-connector-java-5.1.43-bin.jar") - Configure your MySQL database parameters in the
conf/default.properties
file - Use the " bin/create-table.sql " script to initially fill the Datameer X database.
- Start Datameer
Configure Datameer X in the UI
License
Authentication
- Go to the Admin tab.
- Click Authentication from the menu.
Configure your Active Directory or LDAP (this example focus on Active Directory in the following steps) by clicking Edit .
Note title Important Enter the impersonation attribute. (E.g., userPrincipalName). This is necessary if your users are in different realms. If you don't use it then the configured default realm from your Datameer X servers Kerberos client config is taken to create the principal for the Kerberos Keytab file.
- Save the authentication configuration.
Don't log out! If you log out you will not be able to login again as the current admin user. Only the superuser functionality of DM will be able to log you in again. - Wait until the authentication cache has refreshed.
- Click Users from the menu. Select the groups and users that should be able to authenticate.
- Define a new admin user. The current user is no longer valid after logout.
...
- Click on Hadoop cluster from the menu and click Edit.
- From the Cluster Mode settings, select Multi User Kerberos Secured Hadoop Cluster.
- Enter your name node.
- Enter the private folder path for Datameer.
- Select the Enable Impersonation checkbox.
- Enter your Cluster Settings depending on your Hadoop cluster.
- Enter under Kerberos Settings:
- the principal for the Datameer X service user. (E.g., <name>@<realm> )
- the path to the Datameer X service users Keytab file.
- the yarn principal. (E.g., yarn/_HOST@<realm>)
- the HDFS principal. (E.g., hdfs/_HOST@<realm>)
- the mapred principal. (E.g., mapred/_HOST@<realm>)
- Enter any necessary Hadoop properties for the cluster.
- Enter under Automatic Keytab Management Settings:
- the full path to ktutil. (E.g., /usr/bin/ktutil)
- the path to the folder where Datameer X should store the generated Keytab files. The folder needs to have the user "Datameer" as the owner and the permission 700. There is already a Keytab folder in the default installation of Datameer. (E.g., <path to your Datameer X installation>/etc/keytabs)
- Don't set the Kerberos Realm if you already set the impersonation attribute in the Active Directory configuration . If you don't set the Kerberos Realm and you don't have the impersonation attribute set in the Active Directory configuration, the default realm from the Datameer X server Kerberos client configuration will be taken.
- Enter the password encryption algorithms necessary for your Kerberos installation. (E.g., aes256-cts-hmac-sha1-96, aes256-cts, arcfour-hmac)
- logout and restart Datameer
...
Private folder permissions are automatically set up during the installation process of the secured Hadoop Distributed Filesystem. The information below is a detailed description if these settings need to be applied to other tools, such as Apache Ranger.
- Enter the following permissions via ACL's or Ranger for common group or individual users
<datameer private folder>
to r-x. - Enter the following permissions via ACL's or Ranger for common group or individual users
<datameer private folder>
sub folders to rwx.
Datameer X restricts its folder to the following permissions:
...
The change of ownership of a file or folder is a privileged action. When using secure impersonation on Datameer X without the supergroup requirement, the Datameer X service user is no longer a member of the superuser group and loses the privilege to change ownership of files in the Datameer X home folder in HDFS. The change of ownership is still possible through a process of copying a file or folder from the Datameer X home folder to a new owner.
...