When deploying GCDW (GBase Cloud Data Warehouse) with HDFS as the storage layer, a Kerberized Hadoop cluster requires specific security configuration. This guide walks through setting up Kerberos for Hadoop 3.x using the privileged port + JSVC approach, where DataNodes bind to low‑numbered ports as root and then switch to a secure user via the JSVC utility.
Choosing a Security Scheme
Hadoop offers two mutually exclusive Kerberos schemes:
-
Privileged ports + JSVC: DataNodes use ports below 1024, started as root via JSVC, which drops privileges to
HDFS_DATANODE_SECURE_USERafter binding. -
SASL: Supported since Hadoop 2.6.0, no root or privileged ports required, but
dfs.http.policymust be set toHTTPS_ONLYwith SSL certificates configured.
This article implements the first scheme with HTTP access.
Environment Variables (/etc/profile)
Set Java and Hadoop paths, and explicitly run all HDFS components as root.
export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/
export HADOOP_HOME=/opt/hadoop-3.2.4
export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop
export PATH=$PATH:$HADOOP_HOME/bin:$HADOOP_HOME/sbin
export HDFS_DATANODE_USER=root
export HDFS_NAMENODE_USER=root
export HDFS_SECONDARYNAMENODE_USER=root
hadoop-env.sh
Point to the JSVC installation and specify the user DataNodes should run as after binding.
export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/
export JSVC_HOME=/opt/hadoop-3.2.4/libexec
export HDFS_DATANODE_SECURE_USER=root
core-site.xml
Enable Kerberos authentication and service‑level authorization.
<configuration>
<property>
<name>fs.defaultFS</name>
<value>hdfs://hadoop141:8020</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration>
hdfs-site.xml
Configure Kerberos principals and keytab files for NameNode, DataNode, and HTTP access. Enable block access tokens, set the web policy to HTTP_ONLY, and define the privileged DataNode ports.
<configuration>
<!-- Principals and keytabs -->
<property>
<name>dfs.namenode.keytab.file</name>
<value>/opt/keytab/hdfs.keytab</value>
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hdfs/_HOST@GCDW</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/opt/keytab/hdfs.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hdfs/_HOST@GCDW</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/_HOST@GCDW</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/opt/keytab/hdfs.keytab</value>
</property>
<!-- Security and protocols -->
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<property>
<name>dfs.http.policy</name>
<value>HTTP_ONLY</value>
</property>
<!-- DataNode privileged ports (<1024) -->
<property>
<name>dfs.datanode.address</name>
<value>0.0.0.0:1004</value>
</property>
<property>
<name>dfs.datanode.http.address</name>
<value>0.0.0.0:1006</value>
</property>
</configuration>
Key points:
-
hadoop.security.authentication=kerberosenables Kerberos (the defaultsimplemeans no authentication). -
hadoop.security.authorization=trueturns on service‑level RPC authorization. -
dfs.block.access.token.enable=trueenables HDFS block access tokens for additional data security. -
dfs.datanode.address=0.0.0.0:1004sets the DataNode communication port to a privileged port below 1024. -
dfs.datanode.http.address=0.0.0.0:1006does the same for the HTTP endpoint. -
dfs.http.policy=HTTP_ONLYkeeps web access over plain HTTP. If using the SASL scheme, this must beHTTPS_ONLY. - The
_HOSTwildcard in principals automatically expands to the local hostname, simplifying multi‑node config distribution.
Building and Deploying JSVC
JSVC is part of Apache Commons Daemon and allows DataNodes to start as root, bind to privileged ports, and then drop privileges.
- Download
commons-daemon-1.3.4-src.tar.gz, extract, and compile:
cd commons-daemon-1.3.4-src/src/native/unix/
./configure --with-java=/opt/tools/jdk1.8.0_181
make
- Copy the resulting
jsvcbinary to Hadoop'slibexecdirectory and replace the bundled Commons Daemon JAR with the newly compiled version.
cp jsvc /opt/hadoop-3.2.4/libexec/
rm /opt/hadoop-3.2.4/share/hadoop/hdfs/lib/commons-daemon-*.jar
cp commons-daemon-1.3.4.jar /opt/hadoop-3.2.4/share/hadoop/hdfs/lib/
Summary
This guide configured Kerberos for a Hadoop cluster using privileged ports and JSVC, ensuring DataNodes can bind to low‑numbered ports for secure data transfer. After startup, use ps -ef | grep jsvc to verify the DataNode process (it won't appear in jps). This setup is essential for GCDW's disaggregated storage‑compute architecture when HDFS is the backing store, and it keeps your gbase database infrastructure secure and compliant.
GBASE's GCDW, as a China‑domestically developed data warehouse, integrates smoothly with a properly Kerberized Hadoop environment, enabling enterprise‑grade security for analytical workloads.
Top comments (0)