Skip to content
Permalink
Browse files
HAWQ-1497 - kerberos docs refactoring (closes #127)
  • Loading branch information
lisakowen authored and dyozie committed Jul 17, 2017
1 parent f7d9536 commit 776ede0e5c4f26864efbb2bcbf50ef879e08da18
Show file tree
Hide file tree
Showing 3 changed files with 602 additions and 196 deletions.
@@ -21,43 +21,49 @@ specific language governing permissions and limitations
under the License.
-->

Follow these steps to disable Kerberos security for HAWQ and PXF for manual installations.
HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform different disable procedures for each.

**Note:** If you install or manage your cluster using Ambari, then the HAWQ Ambari plug-in automatically disables security for HAWQ and PXF when you disable security for Hadoop. The following instructions are only necessary for manual installations, or when Hadoop security is disabled outside of Ambari.

1. Disable Kerberos on the Hadoop cluster on which you use HAWQ.
2. Disable security for HAWQ:
1. Login to the HAWQ database master server as the `gpadmin` user:
## <a id="disable_kerb_hdfs"></a>Disable Kerberized HDFS for HAWQ/PXF

``` bash
$ ssh hawq_master_fqdn
```
You will perform different procedures to disable HAWQ/PXF access to a previously-kerberized HDFS depending upon whether you manage your cluster from the command line or use Ambari to manage your cluster.

### <a id="disable_kerb_hdfs_ambari"></a>Procedure for Ambari-Managed Clusters

If you manage your cluster using Ambari, you will disable Kerberos authentication for your cluster as described in the [How To Disable Kerberos](https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-user-guide/content/how_to_disable_kerberos.html) Hortonworks documentation. Ambari will guide you through the de-kerberization process, including removing/updating any authentication-related configuration in your cluster.

2. Run the following command to set up HAWQ environment variables:
### <a id="disable_kerb_hdfs_ambari"></a>Procedure for Command-Line-Managed Clusters

If you manage your cluster from the command line, follow these instructions to disable HDFS Kerberos security for HAWQ and PXF.

1. Disable Kerberos on the Hadoop cluster on which you use HAWQ.
2. Disable security for HAWQ:
1. Login to the HAWQ database master server as the `gpadmin` user and set up your HAWQ environment:

``` bash
$ source /usr/local/hawq/greenplum_path.sh
$ ssh gpadmin@<master>
gpadmin@master$ . /usr/local/hawq/greenplum_path.sh
```

3. Start HAWQ if necessary:
2. Start HAWQ if necessary:

``` bash
$ hawq start -a
gpadmin@master$ hawq start cluster
```

4. Run the following command to disable security:
3. Update HAWQ configuration to disable security:

``` bash
$ hawq config --masteronly -c enable_secure_filesystem -v “off”
gpadmin@master$ hawq config -c enable_secure_filesystem -v “off”
```

5. Change the permission of the HAWQ HDFS data directory:
4. Change the permission of the HAWQ HDFS data directory:

``` bash
$ sudo -u hdfs hdfs dfs -chown -R gpadmin:gpadmin /hawq_data
gpadmin@master$ sudo -u hdfs hdfs dfs -chown -R gpadmin:gpadmin /<hawq_data_hdfs_path>
```

6. On the HAWQ master node and on all segment server nodes, edit the `/usr/local/hawq/etc/hdfs-client.xml` file to disable kerberos security. Comment or remove the following properties in each file:
5. On the HAWQ master node and on all segment server nodes, edit the `/usr/local/hawq/etc/hdfs-client.xml` file to disable kerberos security. Comment or remove the following properties in each file:

``` xml
<!--
@@ -73,20 +79,20 @@ Follow these steps to disable Kerberos security for HAWQ and PXF for manual inst
-->
```

7. Restart HAWQ:
6. Restart HAWQ:

``` bash
$ hawq restart -a -M fast
gpadmin@master$ hawq restart cluster -a -M fast
```

3. Disable security for PXF:
1. On each PXF node, edit the `/etc/gphd/pxf/conf/pxf-site.xml` to comment or remove the properties:
3. Disable security for PXF. Perform these steps on *each* PXF node:
1. Edit the `/etc/pxf/conf/pxf-site.xml` to comment out or remove the following properties:

``` xml
<!--
<property>
<name>pxf.service.kerberos.keytab</name>
<value>/etc/security/phd/keytabs/pxf.service.keytab</value>
<value>/etc/security/keytab/pxf.service.keytab</value>
<description>path to keytab file owned by pxf service
with permissions 0400</description>
</property>
@@ -102,3 +108,29 @@ Follow these steps to disable Kerberos security for HAWQ and PXF for manual inst
```

2. Restart the PXF service.

``` bash
root@pxf-node$ service pxf-service restart
```

## <a id="disable_kerb_hawq"></a>Disable Kerberos User Authentication for HAWQ

Perform the following procedure to disable Kerberos user authentication for HAWQ.

1. Comment out or remove the `pg_hba.conf` entry that mandates Kerberos authentication for HAWQ. The `pg_hba.conf` file resides in the directory specified by the `hawq_master_directory` server configuration parameter value. For example, comment out:

``` pre
#host all all 0.0.0.0/0 gss include_realm=0 krb_realm=REALM.DOMAIN
```

2. Update the `pg_hba.conf` file to configure non-Kerberos access restrictions for all your HAWQ users.

3. Reload HAWQ configuration:


``` bash
gpadmin@master$ hawq stop master --reload
```

4. Notify your HAWQ users that `kinit` ticket requests are no longer required to authenticate to HAWQ.

@@ -102,7 +102,7 @@ Perform the following steps to create a HAWQ Linux `psql` client package:

### <a id="hawqclient_pkg_install"></a>Installing the HAWQ psql Client Package

Perform the following steps to install the HAWQ `psql` client package you created in the previous section on a like Linux-based system:
Perform the following procedure to install the HAWQ `psql` client package you created in the previous section on a like Linux-based system:

1. Log in to the client system and create or navigate to the directory in which you want to install the HAWQ client:

@@ -144,7 +144,9 @@ Perform the following steps to install the HAWQ `psql` client package you create

### <a id="hawqclient_pkg_run"></a>Running the HAWQ psql Client

Perform the following steps to run a previously-installed HAWQ `psql` client package:
Perform the following procedure to run a previously-installed HAWQ `psql` client package.

**Note**: If you have enabled Kerberos user authentication for HAWQ, refer to [Kerberos Considerations for Non-HAWQ Clients](kerberos.html#client_considerations) for additional client configuration requirements.

1. Source the HAWQ client environment file (recall the HAWQ client install directory you noted in the previous section):

0 comments on commit 776ede0

Please sign in to comment.