SSL Security for HttpFS
About this task
ssl_keystore
and
ssl_truststore
, which are generated automatically for a secure cluster in
/opt/mapr/conf/
. Note: When using SSL on non-secure clusters, you
need to manually generate keystore
and truststore
.Procedure
-
To preserve the original version, rename the existing
server.xml
file (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
) toserver.xml.orig
.sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.orig
-
Replace the contents of
server.xml
with the contents ofserver.xml.https
.sudo cp /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml.https /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml
-
To enable SSL without certificate-based authentication, set the
clientAuth
attribute to "false" and set properties related tokeystore
andtruststore
(on a secure cluster, the defaults are already set properly) in server.xml (/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/conf/server.xml).For example:<Connector port="${httpfs.http.port}" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/mapr/conf/ssl_keystore" keystorePass="<ssl-keystore-password>" truststoreFile="/opt/mapr/conf/ssl_truststore" truststorePass="<ssl-keystore-password>"/>
-
To enable certificate-based authentication, perform the following steps:
-
Restart the HttpFS server.
maprcli node services -name httpfs -action restart -nodes <space delimited list of nodes>
-
Run one of the following
curl
commands to check that HTTPS is enabled. These commands fetch the filesome_file.txt
from MapR file system under/user/mapr
and attempt to open it securely over HTTPS.- To check if HTTPS is enabled, run the following command (which differs for
non-secure and secure clusters):
- For non-secure
clusters:
curl -k "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt? op=open&user.name=mapr"
- For secure
clusters:
curl -u <user_name> -k "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt? op=open"
- For non-secure
clusters:
- If you configured Hue to use SSL encryption with certificate-based authentication
for communication with HttpFS, run the following command (which differs for non-secure
and secure clusters):
- For non-secure clusters:
curl -k --cert /opt/mapr/hue/hue-<version>/cert.pem --key /opt/mapr/hue/hue-<version>/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt? op=open&user.name=mapr"
- For secure clusters:
curl -u <user_name> -k --cert /opt/mapr/hue/hue-<version>/cert.pem --key /opt/mapr/hue/hue-<version>/hue_private_keystore.pem "https://localhost:14000/webhdfs/v1/user/mapr/some_file.txt? op=open"
- For non-secure clusters:
- To check if HTTPS is enabled, run the following command (which differs for
non-secure and secure clusters):