Customizing Security in MapR

Describes the .customSecure file and how MapR 6.x handles custom security settings.

This topic contains the following subsections:

What is Custom Security?
Identifying the Current Security State of the Cluster
About the .customSecure File
Forcing a Change to the Security Configuration
Custom Security and the MapR Installer
Adding a Node to a Cluster with Custom Security
Adding a Service to a Cluster with Custom Security

NOTE Implementing custom security is not recommended unless your installation demands it. Using the custom security option means that MapR software does not ensure that your system is secure by default, and that you need to manually perform all security configuration.

In MapR 6.x, the configure.sh script detects that a cluster is in one of three security states:

Secure	The cluster is configured with the default MapR security settings.
Unsecure	No security settings are configured for the cluster.
Custom secure	The cluster has a mixture of MapR security settings and custom settings.

Understanding how configure.sh handles custom security settings is important when you upgrade a cluster, add services, add nodes, or change security settings.

What is Custom Security?

Any change to the default MapR configuration for authentication, authorization, or encryption represents a "custom security" change. Users who make such changes are encouraged to create a .customSecure file to ensure that configure.sh does not remove these changes. Custom security changes include any change to the keystore or truststore passwords or the number of keys in those files or the names of the keys.

Other examples of custom security changes include:

Implementing Kerberos security
Changing the Hive authorization model
Changing the Oozie authorization model

Identifying the Current Security State of the Cluster

If the current security state of the cluster (secure, unsecure, or custom secure) is unknown, you can use one of these checks to identify which state the cluster is in:

Check the security value in the /opt/mapr/conf/mapr-clusters.conf file. For example:
```
<clustername1> secure=true <CLDB> <CLDB> … <CLDB>
```
For more information, see mapr-clusters.conf.
Check for the presence of the .customSecure file:
```
/opt/mapr/conf/.customSecure
```
If the file is present, configure.sh treats the cluster as custom secure.

About the .customSecure File

If you customized the security settings for cluster and you want to ensure that configure.sh does not change any of the settings, create a .customSecure file. Create the file in the following location on every node:

/opt/mapr/conf/.customSecure

The .customSecure file does not contain any information. The presence of the file tells configure.sh that the cluster has security settings that must not be changed by configure.sh.

Typically, you create the .customSecure file manually. However, in some cases, configure.sh creates or removes the .customSecure file for you. For example, if configure.sh detects that it is being run after an upgrade from a MapR 5.x secure cluster, it creates the .customSecure file automatically. If you use the -forceSecurityDefaults option and -secure or -unsecure with configure.sh, the script removes the .customSecure file because you are forcing the removal of custom security settings.

Forcing a Change to the Security Configuration

If your MapR 6.x cluster has custom security settings (the .customSecure file is present), and you want to change to the default MapR secure or non-secure settings, use the -forceSecurityDefaults option of configure.sh to make the change. Note these considerations:

Using the -forceSecurityDefaults option removes the .customSecure file. You must specify the -secure or -unsecure option with -forceSecurityDefaults. Otherwise, the command will have no effect.
The -forceSecurityDefaults option might not remove all custom settings. Some manual editing might be necessary to return the cluster to a usable state.
If you are forcing a custom-secured cluster to be MapR secure, you still must include other configure.sh options that are required for security. You must perform any steps required to add security. For example, see Enabling Wire-level Security.

Custom Security and the MapR Installer

Using the MapR Installer or MapR Installer Stanzas is not supported on clusters with custom security or customized configurations.

Adding a Node to a Cluster with Custom Security

Adding a node to a cluster with custom security is similar to adding a node to a cluster with MapR security, but there are some additional steps:

Add the node with default MapR security as described in Adding Nodes to a Cluster.
To support your custom security mode, copy any custom resources or settings as needed from existing nodes to the added node.
Create the /opt/mapr/conf/.customSecure file on the added node:
```
/usr/bin/touch /opt/mapr/conf/.customSecure
```

Adding a Service to a Cluster with Custom Security

If you add a new service (ecosystem component) to a secure or custom-secure cluster, configure.sh configures the service for MapR security automatically. If the cluster is custom secure, you need to change the security settings for the service to be compatible with the current cluster settings and restart the service. Any subsequent use of configure.sh -R will leave the customization in place.