The following are the prerequisites for installing a secure Hadoop cluster:

The first step in the process to establish a secure Hadoop cluster is to set up the Kerberos authentication and ensure that the Kerberos authentication for the Hadoop service principals are working for all the nodes on the cluster. To set up Kerberos, we establish a Kerberos Server (KDC) on a separate node and install the Kerberos client on all nodes of the Hadoop cluster as shown in the following figure:

The following figure illustrates the high-level steps involved in installing and configuring Kerberos. It also shows the various Kerberos utilities that are available.

We will use the following realm and domain for the rest of this chapter:

Domain name: mydomain.com

Realm name: MYREALM.COM

yum install krb5-server krb5-libs krb5-workstation

Once the Kerberos setup is completed and the user principals are added to KDC, we can configure Hadoop to use Kerberos authentication. It is assumed that a Hadoop cluster in a non-secured mode is configured and available. We will begin the configuration using Cloudera Distribution of Hadoop (CDH4).

The steps involved in configuring Kerberos authentication for Hadoop are shown in the following figure:

yum install krb5-libs krb5-workstation

apt-get install krb5-user

All users required to run MapReduce jobs on the cluster need to be set up all the nodes in the cluster. In a large cluster, setting up these users will be very time consuming. So the best practice is to integrate the existing enterprise users in Active Directory or LDAP using cross-realm authentication in Kerberos.

Users are centrally managed in Active Directory or LDAP, and we set up a one-way cross-realm trust between Active Directory/LDAP and KDC on the cluster. Thus, the Hadoop service principal doesn't have to be set up in Active Directory/LDAP, and they authenticate locally on the cluster with KDC. This also ensures that the cluster load is isolated from the rest of the enterprise. We look at how to integrate Hadoop security with Enterprise Security Systems in subsequent chapters.

In a production environment, there are hundreds (sometimes even thousands) of nodes in a Hadoop cluster. Managing and configuring such a large cluster is not done manually as it is laborious and error prone. Traditionally, enterprises used Chef/Puppet or a similar solution for cluster configuration management and deployment, In this approach, organizations had to continuously update their chef recipes based on the changes in Apache Hadoop releases. Instead, organizations typically deploy Hadoop cluster deployment automation based on the Hadoop distribution they work with. For example, in a Cloudera-based Hadoop distribution, organizations leverages Cloudera Manager to provide cluster deployment. automation, and management capability. For Hortonworks-based distributions, organizations prefer Ambari. Similarly, Intel distribution has Intel Manager for Apache Hadoop. Each of these deployment managers support secured Hadoop deployment. The approach...

In this chapter, we looked at the steps to set up the Kerberos authentication protocol and how to add the required principals to the KDC. We then looked at the overall process of configuring the Hadoop security with Kerberos. The Hadoop configurations have to be replicated in all the nodes of the cluster. All users running MapReduce need to set up on all nodes of the cluster. Setting up users across the entire cluster nodes can be challenging and setting up an Active Directory- or LDAP-based authentication mechanism avoids the problem of manually creating the users in each of the cluster nodes.

In the next chapter, we will look at how we can configure Kerberos security for the rest of the Hadoop ecosystem such as Hive, WebHDFS, Oozie, and Flume.