Enabling SSL Security for HttpFS with Credential Provider
Starting from EEP-7.1.0, you can enable SSL security
for HttpFS with credential provider. The CredentialProvider API is used to separate the
use of sensitive tokens, secrets, and passwords from the applications. hadoop
credential create
command is used to provision a password to a particular
credential store provider.
About this task
Procedure
-
Enable SSL in
etc/hadoop/httpfs-site.xml
configuration file:<property> <name>httpfs.ssl.enabled</name> <value>true</value> <description> Whether SSL is enabled. Default is false, i.e. disabled. </description> </property>
-
Use the credential provider to create secure SSL passwords:
hadoop credential create ssl.server.keystore.password -value 123 \ -provider localjceks://file/home/mapr/httpfs.jceks
hadoop credential create ssl.server.keystore.keypassword -value 123 \ -provider localjceks://file/home/mapr/httpfs_keypassword.jceks
-
Run the Java
keytool
command to create an SSL certificate for the HttpFS server:keytool -genkey -alias jetty -keyalg RSA
You will be prompted to answer a series of questions to create a keystore file named.keystore
.- You must enter the same password for “keystore password” as the
value of the property
ssl.server.keystore.password
set while creating secure SSL passwords. - You must answer “What is your first and last name?” (i.e. “CN”) with the host name of the machine where the HttpFS Server will be running.
The
.keystore
file will be stored in the HttpFS user home directory. - You must enter the same password for “keystore password” as the
value of the property
-
Configure the
etc/hadoop/ssl-server.xml
file to set the SSLkeystore
location:<property> <name>ssl.server.keystore.location</name> <value>/home/mapr/.keystore</value> <description>Keystore to be used. Must be specified. </description> </property>
-
Configure the
etc/hadoop/httpfs-site.xml
file with the following property to set credential provider path and enable the credential provider:<property> <name>hadoop.security.credential.provider.path</name> <value>localjceks://file/home/lmccay/aws.jceks</value> <description>Path to interrogate for protected credentials.</description> </property>
-
Restart the HttpFS server:
maprcli node services -action restart -name httpfs -nodes <node>