The Kerberos installation procedure sets up security attributes as
required.
Roberta
*From:* Gunnar Tapper [mailto:[email protected]]
*Sent:* Wednesday, February 3, 2016 3:28 PM
*To:* [email protected]
*Subject:* Re: Trafodion user security
OK. So this is a prerequisite for install, right? Any need for similar
configuration at the HDFS level? The installer does a bunch of things to
HDFS directly.
Some other questions related to installation:
1. I assume that Trafodion is the only project using HBase-TRX and,
therefore, it's OK to overwrite $HADOOP_PATH/hbase-trx*?
2. Is Trafodion the only project using /hbase-staging, /bulkload, and
/lobs? The installer seems to assume that those directories do not exist.
Perhaps they get created under the Trafodion user's root directory rather
than the actual root directory?
Overall, I am trying to understand and document what happens to the user's
Hadoop environment when the Trafodion Installer runs so that there are no
surprises after the installer has made changes to the environment and
restarted HBase, Zookeeper, and HDFS.
Thanks,
Gunnar
On Wed, Feb 3, 2016 at 4:05 PM, Roberta Marton <[email protected]>
wrote:
If you are not running with security enabled (aka Kerberos), then no
privilege checking is performed so you should not have to add the Trafodion
ID.
If you are running with Kerberos enabled, then you need to give the
trafodion ID necessary privileges in HBase and HDFS. This, of course,
requires a Trafodion principal defined in Kerberos.
For example, in HBase, after creating and setting up your Kerberos ID, you
grant trafodion privileges:
$ sudo -u hbase hbase shell
grant 'trafodion', 'RWXCA'
exit
Roberta
*From:* Gunnar Tapper [mailto:[email protected]]
*Sent:* Wednesday, February 3, 2016 2:19 PM
*To:* [email protected]
*Subject:* Trafodion user security
Hi,
>From what I understand, Trafodion runs under its own user ID and group,
which needs sudo access to the ip and arping Linux utilities.
However, it's not clear to me if this user ID need to be added to HDFS and
HBase, too?
--
Thanks,
Gunnar
*If you think you can you can, if you think you can't you're right.*
--
Thanks,
Gunnar
*If you think you can you can, if you think you can't you're right.*
