DEV Community

Michael
Michael

Posted on • Originally published at gbase8.cn

Configuring Kerberos Authentication for Hadoop in the GCDW Stack

When deploying GCDW (GBase Cloud Data Warehouse) with HDFS as the storage layer, a Kerberized Hadoop cluster requires specific security configuration. This guide walks through setting up Kerberos for Hadoop 3.x using the privileged port + JSVC approach, where DataNodes bind to low‑numbered ports as root and then switch to a secure user via the JSVC utility.

Choosing a Security Scheme

Hadoop offers two mutually exclusive Kerberos schemes:

  1. Privileged ports + JSVC: DataNodes use ports below 1024, started as root via JSVC, which drops privileges to HDFS_DATANODE_SECURE_USER after binding.
  2. SASL: Supported since Hadoop 2.6.0, no root or privileged ports required, but dfs.http.policy must be set to HTTPS_ONLY with SSL certificates configured.

This article implements the first scheme with HTTP access.

Environment Variables (/etc/profile)

Set Java and Hadoop paths, and explicitly run all HDFS components as root.

export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/
export HADOOP_HOME=/opt/hadoop-3.2.4
export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop
export PATH=$PATH:$HADOOP_HOME/bin:$HADOOP_HOME/sbin

export HDFS_DATANODE_USER=root
export HDFS_NAMENODE_USER=root
export HDFS_SECONDARYNAMENODE_USER=root
Enter fullscreen mode Exit fullscreen mode

hadoop-env.sh

Point to the JSVC installation and specify the user DataNodes should run as after binding.

export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/
export JSVC_HOME=/opt/hadoop-3.2.4/libexec
export HDFS_DATANODE_SECURE_USER=root
Enter fullscreen mode Exit fullscreen mode

core-site.xml

Enable Kerberos authentication and service‑level authorization.

<configuration>
    <property>
        <name>fs.defaultFS</name>
        <value>hdfs://hadoop141:8020</value>
    </property>
    <property>
        <name>hadoop.security.authorization</name>
        <value>true</value>
    </property>
    <property>
        <name>hadoop.security.authentication</name>
        <value>kerberos</value>
    </property>
</configuration>
Enter fullscreen mode Exit fullscreen mode

hdfs-site.xml

Configure Kerberos principals and keytab files for NameNode, DataNode, and HTTP access. Enable block access tokens, set the web policy to HTTP_ONLY, and define the privileged DataNode ports.

<configuration>
    <!-- Principals and keytabs -->
    <property>
        <name>dfs.namenode.keytab.file</name>
        <value>/opt/keytab/hdfs.keytab</value>
    </property>
    <property>
        <name>dfs.namenode.kerberos.principal</name>
        <value>hdfs/_HOST@GCDW</value>
    </property>
    <property>
        <name>dfs.datanode.keytab.file</name>
        <value>/opt/keytab/hdfs.keytab</value>
    </property>
    <property>
        <name>dfs.datanode.kerberos.principal</name>
        <value>hdfs/_HOST@GCDW</value>
    </property>
    <property>
        <name>dfs.web.authentication.kerberos.principal</name>
        <value>HTTP/_HOST@GCDW</value>
    </property>
    <property>
        <name>dfs.web.authentication.kerberos.keytab</name>
        <value>/opt/keytab/hdfs.keytab</value>
    </property>
    <!-- Security and protocols -->
    <property>
        <name>dfs.block.access.token.enable</name>
        <value>true</value>
    </property>
    <property>
        <name>dfs.http.policy</name>
        <value>HTTP_ONLY</value>
    </property>
    <!-- DataNode privileged ports (<1024) -->
    <property>
        <name>dfs.datanode.address</name>
        <value>0.0.0.0:1004</value>
    </property>
    <property>
        <name>dfs.datanode.http.address</name>
        <value>0.0.0.0:1006</value>
    </property>
</configuration>
Enter fullscreen mode Exit fullscreen mode

Key points:

  • hadoop.security.authentication=kerberos enables Kerberos (the default simple means no authentication).
  • hadoop.security.authorization=true turns on service‑level RPC authorization.
  • dfs.block.access.token.enable=true enables HDFS block access tokens for additional data security.
  • dfs.datanode.address=0.0.0.0:1004 sets the DataNode communication port to a privileged port below 1024.
  • dfs.datanode.http.address=0.0.0.0:1006 does the same for the HTTP endpoint.
  • dfs.http.policy=HTTP_ONLY keeps web access over plain HTTP. If using the SASL scheme, this must be HTTPS_ONLY.
  • The _HOST wildcard in principals automatically expands to the local hostname, simplifying multi‑node config distribution.

Building and Deploying JSVC

JSVC is part of Apache Commons Daemon and allows DataNodes to start as root, bind to privileged ports, and then drop privileges.

  1. Download commons-daemon-1.3.4-src.tar.gz, extract, and compile:
cd commons-daemon-1.3.4-src/src/native/unix/
./configure --with-java=/opt/tools/jdk1.8.0_181
make
Enter fullscreen mode Exit fullscreen mode
  1. Copy the resulting jsvc binary to Hadoop's libexec directory and replace the bundled Commons Daemon JAR with the newly compiled version.
cp jsvc /opt/hadoop-3.2.4/libexec/
rm /opt/hadoop-3.2.4/share/hadoop/hdfs/lib/commons-daemon-*.jar
cp commons-daemon-1.3.4.jar /opt/hadoop-3.2.4/share/hadoop/hdfs/lib/
Enter fullscreen mode Exit fullscreen mode

Summary

This guide configured Kerberos for a Hadoop cluster using privileged ports and JSVC, ensuring DataNodes can bind to low‑numbered ports for secure data transfer. After startup, use ps -ef | grep jsvc to verify the DataNode process (it won't appear in jps). This setup is essential for GCDW's disaggregated storage‑compute architecture when HDFS is the backing store, and it keeps your gbase database infrastructure secure and compliant.

GBASE's GCDW, as a China‑domestically developed data warehouse, integrates smoothly with a properly Kerberized Hadoop environment, enabling enterprise‑grade security for analytical workloads.

Top comments (0)