Custom Security in MapR
Describes the .customSecure file and how MapR 6.x handles custom security settings.
- What is Custom Security?
- Identifying the Current Security State of the Cluster
- About the .customSecure File
- Forcing a Change to the Security Configuration
- Custom Security and the MapR Installer
- Adding a Node to a Cluster with Custom Security
- Adding a Service to a Cluster with Custom Security
In MapR 6.x, the configure.sh script detects that a cluster is in one of three security states:
Secure | The cluster is configured with the default MapR security settings. |
Unsecure | No security settings are configured for the cluster. |
Custom secure | The cluster has a mixture of MapR security settings and custom settings. |
Understanding how configure.sh
handles custom security settings is important
when you upgrade a cluster, add services, add nodes, or change security settings.
What is Custom Security?
Any change to the default MapR configuration for authentication, authorization, or
encryption represents a "custom security" change. Users who make such changes are encouraged
to create a .customSecure
file to ensure that configure.sh
does not remove these changes. Custom security changes include any change to the keystore or
trustore paswords or the number of keys in those files or the names of the keys.
- Implementing Kerberos security
- Changing the Hive authorization model
- Changing the Oozie authorization model
Identifying the Current Security State of the Cluster
- Check the security value in the
/opt/mapr/conf/mapr-clusters.conf
file. For example:<clustername1> secure=true <CLDB> <CLDB> … <CLDB>
For more information, see mapr-clusters.conf.
- Check for the presence of the
.customSecure
file:
If the file is present,/opt/mapr/conf/.customSecure
configure.sh
treats the cluster as custom secure. - Configuring an Oozie server to use SSL on a non-secure cluster expects that you have already configured the cluster to be custom secure.
About the .customSecure File
configure.sh
does not change any of the settings, you can create a
.customSecure
file. The file must be created in the following location on
every node:/opt/mapr/conf/.customSecure
The .customSecure
file does not contain any information. The presence of
the file tells configure.sh
that the cluster has security settings that
must not be changed by configure.sh
.
Typically, you create the .customSecure
file manually. However, in some
cases, configure.sh
creates or removes the .customSecure
file for you. For example, if configure.sh
detects that it is being run
after an upgrade from a MapR 5.x secure cluster, it creates the
.customSecure
file automatically. If you use the
-forceSecurityDefaults
option and -secure
or
-unsecure
with configure.sh
, the script removes the
.customSecure
file because you are forcing the removal of custom security
settings.
Forcing a Change to the Security Configuration
.customSecure
file is present), and you want to change to the default MapR secure or non-secure settings,
you can use the -forceSecurityDefaults
option of
configure.sh
to make the change. Note these considerations:- Using the
-forceSecurityDefaults
option removes the.customSecure
file. Note that you must specify the-secure
or-unsecure
option with-forceSecurityDefaults
. Otherwise, the command will have no effect. - The
-forceSecurityDefaults
option might not remove all of your custom settings. Some manual editing might be necessary to return the cluster to a usable state. - When forcing a custom-secured cluster to be MapR secure, you still need to include
other
configure.sh
options that are required for security. And you need to perform any steps required to add security. For example, see Enabling Wire-level Security.
Custom Security and the MapR Installer
Using the MapR Installer or MapR Installer Stanzas is not supported on clusters with custom security or customized configurations.
Adding a Node to a Cluster with Custom Security
- Add the node with default MapR security as described in Adding Nodes to a Cluster.
- To support your custom security mode, copy any custom resources or settings as needed from existing nodes to the added node.
- Create the
/opt/mapr/conf/.customSecure
file on the added node:/usr/bin/touch /opt/mapr/conf/.customSecure
Adding a Service to a Cluster with Custom Security
If you add a new service (ecosystem component) to a secure or custom-secure cluster,
configure.sh
configures the service for MapR security automatically. If
the cluster is custom secure, you need to change the security settings for the service to be
compatible with the current cluster settings and restart the service. Any subsequent use of
configure.sh -R
will leave the customization in place.