Author: buildbot
Date: Mon Nov 24 16:55:10 2014
New Revision: 930320
Log:
Staging update by buildbot for slider
Modified:
websites/staging/slider/trunk/content/ (props changed)
websites/staging/slider/trunk/content/docs/security.html
Propchange: websites/staging/slider/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Nov 24 16:55:10 2014
@@ -1 +1 @@
-1641398
+1641419
Modified: websites/staging/slider/trunk/content/docs/security.html
==============================================================================
--- websites/staging/slider/trunk/content/docs/security.html (original)
+++ websites/staging/slider/trunk/content/docs/security.html Mon Nov 24
16:55:10 2014
@@ -270,20 +270,22 @@ rights of the user that created the clus
<p>The Application Master will read in the JSON cluster specification file,
and instantiate the
relevant number of componentss. </p>
<h3 id="the-keytab-distributionaccess-options">The Keytab distribution/access
Options</h3>
-<p>The AM has been modified to leverage keytabs for authenticating rather than
relying on delegation-token based authentication mechanisms. In order to
perform this login the AM requires access to a keytab file that contains the
principal representing the user identity to be associated with the launched
application instance. There are two mechanisms supported for keytab access
and/or distribution:</p>
+<p>Rather than relying on delegation token based authentication mechanisms,
the AM leverages keytab files for obtaining the principals to authenticate to
the configured cluster KDC. In order to perform this login the AM requires
access to a keytab file that contains the principal representing the user
identity to be associated with the launched application instance (e.g. in an
HBase installation you may elect to leverage the âhbaseâ principal for this
purpose). There are two mechanisms supported for keytab access and/or
distribution:</p>
<h4 id="local-keytab-file-access">Local Keytab file access:</h4>
-<p>An application deployer may choose to pre-distribute the keytab files
required to the node manager hosts in a yarn cluster. In that instance the
appConfig.json requires the following property:</p>
+<p>An application deployer may choose to pre-distribute the keytab files
required to the Node Manager (NM) hosts in a Yarn cluster. In that instance the
appConfig.json requires the following properties:</p>
<div class="codehilite"><pre><span class="p">.</span> <span class="p">.</span>
<span class="p">.</span>
"<span class="n">components</span>"<span class="p">:</span> <span
class="p">{</span>
"<span class="n">slider</span><span class="o">-</span><span
class="n">appmaster</span>"<span class="p">:</span> <span
class="p">{</span>
"<span class="n">jvm</span><span class="p">.</span><span
class="n">heapsize</span>"<span class="p">:</span> "256<span
class="n">M</span>"<span class="p">,</span>
- "<span class="n">slider</span><span class="p">.</span><span
class="n">am</span><span class="p">.</span><span class="n">keytab</span><span
class="p">.</span><span class="n">local</span><span class="p">.</span><span
class="n">path</span>"<span class="p">:</span> "<span
class="o">/</span><span class="n">etc</span><span class="o">/</span><span
class="n">security</span><span class="o">/</span><span
class="n">keytabs</span><span class="o">/</span><span
class="n">hbase</span><span class="p">.</span><span
class="n">headless</span><span class="p">.</span><span
class="n">keytab</span>"
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">am</span><span class="p">.</span><span class="n">keytab</span><span
class="p">.</span><span class="n">local</span><span class="p">.</span><span
class="n">path</span>"<span class="p">:</span> "<span
class="o">/</span><span class="n">etc</span><span class="o">/</span><span
class="n">security</span><span class="o">/</span><span
class="n">keytabs</span><span class="o">/</span><span
class="n">hbase</span><span class="p">.</span><span
class="n">headless</span><span class="p">.</span><span
class="n">keytab</span>"<span class="p">,</span>
+ â<span class="n">slider</span><span class="p">.</span><span
class="n">keytab</span><span class="p">.</span><span
class="n">principal</span><span class="p">.</span><span
class="n">name</span>â <span class="p">:</span> â<span
class="n">hbase</span>"
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
-<p>The âslider.am.keytab.local.pathâ property provides the full path to
the keytab file location and is mandatory for the local lookup mechanism. In
this scenario the distribution of keytab files for the AM AND the application
itself is the purview of the application deployer. So, for example, for an
hbase deployment, the hbase site service keytab will have to be distributed as
well and indicated in the hbase-site properties:</p>
+<p>The âslider.am.keytab.local.pathâ property provides the full path to
the keytab file location and is mandatory for the local lookup mechanism. The
principal to leverage from the file is identified by the
âslider.keytab.principal.nameâ property.</p>
+<p>In this scenario the distribution of keytab files for the AM AND the
application itself is the purview of the application deployer. So, for
example, for an hbase deployment, the hbase site service keytab will have to be
distributed as well and indicated in the hbase-site properties:</p>
<div class="codehilite"><pre> <span class="p">.</span> <span
class="p">.</span> <span class="p">.</span>
"<span class="n">site</span><span class="p">.</span><span
class="n">hbase</span><span class="o">-</span><span class="n">site</span><span
class="p">.</span><span class="n">hbase</span><span class="p">.</span><span
class="n">master</span><span class="p">.</span><span
class="n">kerberos</span><span class="p">.</span><span
class="n">principal</span>"<span class="p">:</span> "<span
class="n">hbase</span><span class="o">/</span><span class="n">_HOST</span><span
class="p">@</span><span class="n">EXAMPLE</span><span class="p">.</span><span
class="n">COM</span>"<span class="p">,</span>
"<span class="n">site</span><span class="p">.</span><span
class="n">hbase</span><span class="o">-</span><span class="n">site</span><span
class="p">.</span><span class="n">hbase</span><span class="p">.</span><span
class="n">master</span><span class="p">.</span><span
class="n">keytab</span><span class="p">.</span><span
class="n">file</span>"<span class="p">:</span> "<span
class="o">/</span><span class="n">etc</span><span class="o">/</span><span
class="n">security</span><span class="o">/</span><span
class="n">keytabs</span><span class="o">/</span><span
class="n">hbase</span><span class="p">.</span><span
class="n">service</span><span class="p">.</span><span
class="n">keytab</span>"<span class="p">,</span>
@@ -292,13 +294,14 @@ relevant number of componentss. </p>
<h4 id="slider-keytab-distribution">Slider keytab distribution:</h4>
-<p>The deployer can select to upload the keytab files for the AM and the
application to an HDFS directory (with appropriate permissions set) and slider
will localize the keytab files to locations accessible by the AM or the
application containers:</p>
+<p>The deployer can select to upload the keytab files (manually or using the
Slider client install-keytab option - see below) for the AM and the application
to an HDFS directory (with appropriate permissions set) and slider will
localize the keytab files to locations accessible by the AM or the application
containers:</p>
<div class="codehilite"><pre><span class="p">.</span> <span class="p">.</span>
<span class="p">.</span>
"<span class="n">components</span>"<span class="p">:</span> <span
class="p">{</span>
"<span class="n">slider</span><span class="o">-</span><span
class="n">appmaster</span>"<span class="p">:</span> <span
class="p">{</span>
"<span class="n">jvm</span><span class="p">.</span><span
class="n">heapsize</span>"<span class="p">:</span> "256<span
class="n">M</span>"<span class="p">,</span>
"<span class="n">slider</span><span class="p">.</span><span
class="n">hdfs</span><span class="p">.</span><span class="n">keytab</span><span
class="p">.</span><span class="n">dir</span>"<span class="p">:</span>
"<span class="p">.</span><span class="n">slider</span><span
class="o">/</span><span class="n">keytabs</span><span class="o">/</span><span
class="n">hbase</span>"<span class="p">,</span>
- "<span class="n">slider</span><span class="p">.</span><span
class="n">am</span><span class="p">.</span><span class="n">login</span><span
class="p">.</span><span class="n">keytab</span><span class="p">.</span><span
class="n">name</span>"<span class="p">:</span> "<span
class="n">hbase</span><span class="p">.</span><span
class="n">headless</span><span class="p">.</span><span
class="n">keytab</span>"
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">am</span><span class="p">.</span><span class="n">login</span><span
class="p">.</span><span class="n">keytab</span><span class="p">.</span><span
class="n">name</span>"<span class="p">:</span> "<span
class="n">hbase</span><span class="p">.</span><span
class="n">headless</span><span class="p">.</span><span
class="n">keytab</span>"<span class="p">,</span>
+ â<span class="n">slider</span><span class="p">.</span><span
class="n">keytab</span><span class="p">.</span><span
class="n">principal</span><span class="p">.</span><span
class="n">name</span>â <span class="p">:</span> â<span
class="n">hbase</span>"
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
@@ -306,7 +309,7 @@ relevant number of componentss. </p>
<p>The âslider.hdfs.keytab.dirâ points to an HDFS path, relative to the
userâs home directory (e.g. /users/hbase), in which slider can find all
keytab files required for both AM login as well as application services (e.g.
for hbase that would be the headless keytab for the AM and the service keytab
for the HBase application components). If no value is specified, a default
location of â.slider/keytabs/<cluster name>â is assumed.
The âslider.am.login.keytab.nameâ is the name of the keytab file
(mandatory property), found within the specified directory, that the AM will
use to lookup up the login principal and authenticate.</p>
-<p>If leveraging the slider-based distribution mechanism, the keytab files for
components will be accessible from a âkeytabsâ sub-directory of the
container work folder, e.g.:</p>
+<p>If leveraging the slider-based distribution mechanism, the keytab files for
components will be accessible from a âkeytabsâ sub-directory of the
container work folder and can therefore be specified relative to the
$AGENT_WORK_ROOT/keytabs directory, e.g.:</p>
<div class="codehilite"><pre> . . .
"site.hbase-site.hbase.master.kerberos.principal":
"hbase/[email protected]",
"site.hbase-site.hbase.master.keytab.file": "<span
class="cp">${</span><span class="n">AGENT_WORK_ROOT</span><span
class="cp">}</span>/keytabs/hbase.service.keytab",
@@ -319,6 +322,36 @@ relevant number of componentss. </p>
<li>The principal name established on the client side before invocation of the
Slider CLI (the principal used to âkinitâ) or</li>
<li>The value specified for a âslider.keytab.principal.nameâ property.
</li>
</ul>
+<h4 id="slider-client-keytab-installation">Slider Client Keytab
installation:</h4>
+<p>The Slider client can be leveraged to install keytab files individually
into a designated keytab HDFS folder. The format of the command is:</p>
+<div class="codehilite"><pre><span class="n">slider</span> <span
class="n">install</span><span class="o">-</span><span class="n">keytab</span>
â<span class="n">keytab</span> <span class="o"><</span><span
class="n">path</span> <span class="n">to</span> <span class="n">keytab</span>
<span class="n">on</span> <span class="n">local</span> <span
class="n">file</span> <span class="n">system</span><span class="o">></span>
â<span class="n">folder</span> <span class="o"><</span><span
class="n">name</span> <span class="n">of</span> <span class="n">HDFS</span>
<span class="n">folder</span> <span class="n">to</span> <span
class="n">store</span> <span class="n">keytab</span><span class="o">></span>
<span class="p">[</span>â<span class="n">overwrite</span><span
class="p">]</span>
+</pre></div>
+
+
+<p>The command will store the keytab file specified by the ââkeytabâ
option in to an HDFS folder that is created or exists under
/user/username/.slider/keytabs named by the ââfolderâ option (e.g. if the
folder name specified is âHBASEâ the keytab will be stored in
/user/username/.slider/keytabs/HBASE). The command can be used to upload
keytab files individually up to HDFS. For example, if uploading both AM and
HBase service keytabs to the âHBASEâ folder, the command will be invoked
twice:</p>
+<div class="codehilite"><pre><span class="n">slider</span> <span
class="n">install</span><span class="o">-</span><span class="n">keytab</span>
â<span class="n">keytab</span> <span class="o">/</span><span
class="n">my</span><span class="o">/</span><span class="n">local</span><span
class="o">/</span><span class="n">keytabs</span><span class="o">/</span><span
class="n">folder</span><span class="o">/</span><span
class="n">hbase</span><span class="p">.</span><span
class="n">headless</span><span class="p">.</span><span class="n">keytab</span>
â<span class="n">folder</span> <span class="n">HBASE</span>
+<span class="n">slider</span> <span class="n">install</span><span
class="o">-</span><span class="n">keytab</span> â<span
class="n">keytab</span> <span class="o">/</span><span class="n">my</span><span
class="o">/</span><span class="n">local</span><span class="o">/</span><span
class="n">keytabs</span><span class="o">/</span><span
class="n">folder</span><span class="o">/</span><span
class="n">hbase</span><span class="p">.</span><span
class="n">service</span><span class="p">.</span><span class="n">keytab</span>
â<span class="n">folder</span> <span class="n">HBASE</span>
+</pre></div>
+
+
+<p>Subsequently, the associated hbase-site configuration properties would
be:</p>
+<div class="codehilite"><pre>"global": {
+ . . .
+ "site.hbase-site.hbase.master.kerberos.principal":
"hbase/[email protected]",
+ "site.hbase-site.hbase.master.keytab.file": "<span
class="cp">${</span><span class="n">AGENT_WORK_ROOT</span><span
class="cp">}</span>/keytabs/hbase.service.keytab",
+ . . .
+}
+"components": {
+ "slider-appmaster": {
+ "jvm.heapsize": "256M",
+ "slider.hdfs.keytab.dir": ".slider/keytabs/HBASE",
+ "slider.am.login.keytab.name":
"hbase.headless.keytab"
+ âslider.keytab.principal.nameâ : âhbase"
+ }
+}
+</pre></div>
+
+
<h2
id="securing-communications-between-the-slider-client-and-the-slider-am">Securing
communications between the Slider Client and the Slider AM.</h2>
<p>When the AM is deployed in a secure cluster,
it automatically uses Kerberos-authorized RPC channels. The client must
acquire a
