Configuring PXF for Secure HDFS

When Kerberos is enabled for your HDFS filesystem, PXF, as an HDFS client, requires a principal and keytab file to authenticate access to HDFS. To read or write files on a secure HDFS, you must create and deploy Kerberos principals and keytabs for PXF, and ensure that Kerberos authentication is enabled and functioning.

PXF supports simultaneous access to multiple Kerberos-secured Hadoop clusters.

In previous versions of Greenplum Database, you configured the PXF Kerberos principal and keytab for the default Hadoop server via the now deprecated PXF_PRINCIPAL and PXF_KEYTAB settings in the pxf-env.sh configuration file.

When Kerberos is enabled, you access Hadoop with the PXF principal and keytab. You can also choose to access Hadoop using the identity of the Greenplum Database user.

You configure the impersonation setting and the Kerberos principal and keytab for a Hadoop server via the pxf-site.xml server-specific configuration file. Refer to About Kerberos and User Impersonation Configuration (pxf-site.xml) for more information about the configuration properties in this file.

Configure the Kerberos principal and keytab using the following pxf-site.xml properties:

Property Description Default Value
pxf.service.kerberos.principal The Kerberos principal name. gpadmin/_HOST@EXAMPLE.COM
pxf.service.kerberos.keytab The file system path to the Kerberos keytab file. $PXF_CONF/keytabs/pxf.service.keytab

The following table describes two scenarios for accessing Hadoop when Kerberos authentication is enabled:

Scenario Required Configuration
PXF accesses Hadoop using the identity of the configured principal. Set the pxf.service.user.impersonation property setting to false in the pxf-site.xml file to disable user impersonation.
PXF accesses Hadoop using the identity of the Greenplum Database user. Set the pxf.service.user.impersonation property setting to true in the pxf-site.xml file to enable user impersonation. You must also configure Hadoop proxying for the Hadoop user identity specified in the primary component of the Kerberos principal.

Prerequisites

Before you configure PXF for access to a secure HDFS filesystem, ensure that you have:

  • Configured a PXF server for the Hadoop cluster, and can identify the server configuration name.

  • Initialized, configured, and started PXF as described in Configuring PXF.

  • Verified that Kerberos is enabled for your Hadoop cluster.

  • Verified that the HDFS configuration parameter dfs.block.access.token.enable is set to true. You can find this setting in the hdfs-site.xml configuration file on a host in your Hadoop cluster.

  • Noted the host name or IP address of each Greenplum Database segment host (<seghost>) and the Kerberos Key Distribution Center (KDC) <kdc-server> host.

  • Noted the name of the Kerberos <realm> in which your cluster resides.

  • Installed the Kerberos client packages on each Greenplum Database segment host if they are not already installed. You must have superuser permissions to install operating system packages. For example:

    root@gphost$ rpm -qa | grep krb
    root@gphost$ yum install krb5-libs krb5-workstation
    

Procedure

There are different procedures for configuring PXF for secure HDFS with a Microsoft Active Directory KDC Server vs. with an MIT Kerberos KDC Server.

Configuring PXF with a Microsoft Active Directory Kerberos KDC Server

When you configure PXF for secure HDFS using an AD Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.

Perform the following steps the Active Directory domain controller:

  1. Start Active Directory Users and Computers.
  2. Expand the forest domain and the top-level UNIX organizational unit that describes your Greenplum user domain.
  3. Select Service Accounts, right-click, then select New->User.
  4. Type a name, eg. ServiceGreenplumPROD1, and change the login name to gpadmin. Note that the login name should be in compliance with POSIX standard and match hadoop.proxyuser.<name>.hosts/groups in the Hadoop core-site.xml and the Kerberos principal.
  5. Type and confirm the Active Directory service account password. Select the User cannot change password and Password never expires check boxes, then click Next. For security reasons, if you can’t have Password never expires checked, you will need to generate new keytab file (step 7) every time you change the password of the service account.
  6. Click Finish to complete the creation of the new user principal.
  7. Open Powershell or a command prompt and run the ktpass command to generate the keytab file. For example:

    powershell#>ktpass -out pxf.service.keytab -princ gpadmin@EXAMPLE.COM -mapUser ServiceGreenplumPROD1 -pass ******* -crypto all -ptype KRB5_NT_PRINCIPAL
    

    With Active Directory, the principal and the keytab file are shared by all Greenplum Database segment hosts.

  8. Copy the pxf.service.keytab file to the Greenplum master host.

Perform the following procedure on the Greenplum Database master host:

  1. Log in to the Greenplum Database master host. For example:

    $ ssh gpadmin@<gpmaster>
    
  2. Identify the name of the PXF Hadoop server configuration, and navigate to the server configuration directory. For example, if the server is named hdp3:

    gpadmin@gpmaster$ cd $PXF_CONF/servers/hdp3
    
  3. If the server configuration does not yet include a pxf-site.xml file, copy the template file to the directory. For example:

    gpadmin@gpmaster$ cp $PXF_CONF/templates/pxf-site.xml .
    
  4. Open the pxf-site.xml file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. For example:

    <property>
        <name>pxf.service.kerberos.principal</name>
        <value>gpadmin@EXAMPLE.COM</value>
    </property>
    <property>
        <name>pxf.service.kerberos.keytab</name>
        <value>${pxf.conf}/keytabs/pxf.service.keytab</value>
    </property>
    
  5. Enable user impersonation as described in Configure PXF User Impersonation, and configure or verify Hadoop proxying for the primary component of the Kerberos principal as described in Configure Hadoop Proxying. For example, if your principal is gpadmin@EXAMPLE.COM, configure proxying for the Hadoop user gpadmin.

  6. Save the file and exit the editor.

  7. Synchronize the PXF configuration to your Greenplum Database cluster and restart PXF:

    gpadmin@master$ pxf cluster sync
    gpadmin@master$ pxf cluster restart
    
  8. Step 7 does not synchronize the keytabs in $PXF_CONF. You must distribute the keytab file to $PXF_CONF/keytabs/. Locate the keytab file, copy the file to the $PXF_CONF user configuration directory, and set required permissions. For example:

    gpadmin@gpmaster$ gpscp -f hostfile_all pxf.service.keytab =:$PXF_CONF/keytabs/
    gpadmin@gpmaster$ gpssh -f hostfile_all chmod 400 $PXF_CONF/keytabs/pxf.service.keytab
    

Configuring PXF with an MIT Kerberos KDC Server

When you configure PXF for secure HDFS using an MIT Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.

Perform the following steps on the MIT Kerberos KDC server host:

  1. Log in to the Kerberos KDC server as the root user.

    $ ssh root@<kdc-server>
    root@kdc-server$ 
    
  2. Distribute the /etc/krb5.conf Kerberos configuration file on the KDC server host to each segment host in your Greenplum Database cluster if not already present. For example:

    root@kdc-server$ scp /etc/krb5.conf seghost:/etc/krb5.conf
    
  3. Use the kadmin.local command to create a Kerberos PXF service principal for each Greenplum Database segment host. The service principal should be of the form gpadmin/<seghost>@<realm> where <seghost> is the DNS resolvable, fully-qualified hostname of the segment host system (output of the hostname -f command).

    For example, these commands create PXF service principals for the hosts named host1.example.com, host2.example.com, and host3.example.com in the Kerberos realm named EXAMPLE.COM:

    root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host1.example.com@EXAMPLE.COM"
    root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host2.example.com@EXAMPLE.COM"
    root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host3.example.com@EXAMPLE.COM"
    
  4. Generate a keytab file for each PXF service principal that you created in the previous step. Save the keytab files in any convenient location (this example uses the directory /etc/security/keytabs). You will deploy the keytab files to their respective Greenplum Database segment host machines in a later step. For example:

    root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host1.service.keytab gpadmin/host1.example.com@EXAMPLE.COM"
    root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host2.service.keytab gpadmin/host2.example.com@EXAMPLE.COM"
    root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host3.service.keytab gpadmin/host3.example.com@EXAMPLE.COM"
    

    Repeat the xst command as necessary to generate a keytab for each PXF service principal that you created in the previous step.

  5. List the principals. For example:

    root@kdc-server$ kadmin.local -q "listprincs"
    
  6. Copy the keytab file for each PXF service principal to its respective segment host. For example, the following commands copy each principal generated in step 4 to the PXF default keytab directory on the segment host when PXF_CONF=/usr/local/greenplum-pxf:

    root@kdc-server$ scp /etc/security/keytabs/pxf-host1.service.keytab host1.example.com:/usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ scp /etc/security/keytabs/pxf-host2.service.keytab host2.example.com:/usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ scp /etc/security/keytabs/pxf-host3.service.keytab host3.example.com:/usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    

    Note the file system location of the keytab file on each PXF host; you will need this information for a later configuration step.

  7. Change the ownership and permissions on the pxf.service.keytab files. The files must be owned and readable by only the gpadmin user. For example:

    root@kdc-server$ ssh host1.example.com chown gpadmin:gpadmin /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ ssh host1.example.com chmod 400 /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ ssh host2.example.com chown gpadmin:gpadmin /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ ssh host2.example.com chmod 400 /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ ssh host3.example.com chown gpadmin:gpadmin /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    root@kdc-server$ ssh host3.example.com chmod 400 /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
    

Perform the following steps on the Greenplum Database master host:

  1. Log in to the master host. For example:

    $ ssh gpadmin@<gpmaster>
    
  2. Identify the name of the PXF Hadoop server configuration that requires Kerberos access.

  3. Navigate to the server configuration directory. For example, if the server is named hdp3:

    gpadmin@gpmaster$ cd $PXF_CONF/servers/hdp3
    
  4. If the server configuration does not yet include a pxf-site.xml file, copy the template file to the directory. For example:

    gpadmin@gpmaster$ cp $PXF_CONF/templates/pxf-site.xml .
    
  5. Open the pxf-site.xml file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. The default values for these settings are identified below:

    <property>
        <name>pxf.service.kerberos.principal</name>
        <value>gpadmin/_HOST@EXAMPLE.COM</value>
    </property>
    <property>
        <name>pxf.service.kerberos.keytab</name>
        <value>${pxf.conf}/keytabs/pxf.service.keytab</value>
    </property>
    

    PXF automatically replaces _HOST with the FQDN of the segment host.

  6. If you want to access Hadoop as the Greenplum Database user:

    1. Enable user impersonation as described in Configure PXF User Impersonation.
    2. Configure Hadoop proxying for the primary component of the Kerberos principal as described in Configure Hadoop Proxying. For example, if your principal is gpadmin/_HOST@EXAMPLE.COM, configure proxying for the Hadoop user gpadmin.
  7. If you want to access Hadoop using the identity of the Kerberos principal, disable user impersonation as described in Configure PXF User Impersonation.

  8. PXF ignores the pxf.service.user.name property when it uses Kerberos authentication to Hadoop. You may choose to remove this property from the pxf-site.xml file.

  9. Save the file and exit the editor.

  10. Synchronize the PXF configuration to your Greenplum Database cluster:

    gpadmin@seghost$ pxf cluster sync