[ ] Sets up security before accessing any Hadoop services, including FileSystem APIs
[ ] Sets up security after loading local configuration files, such as
If you try to open an
hdfs:// filesystem, an
HdfsConfiguration instance is created, which
hdfs-site.xml. To load in the Yarn settings, create an
[ ] Are tested against a secure cluster from a logged in user.
[ ] Are tested against a secure cluster from a not logged in user, and the program set up to use a keytab (if supported).
[ ] Are tested from a logged out user with a token file containing the tokens and the environment variable
HADOOP_TOKEN_FILE_LOCATION set to this file. This verifies Oozie can support it without needing
[ ] Can get tokens for all services which they may optionally need.
[ ] Don't crash on a secure cluster if the cluster filesystem does not issue tokens. That is: Kerberized clusters where the FS is something other than HDFS.
Hadoop RPC Service
[ ] Principal for Service defined. This is generally a configuration property.
SecurityInfo subclass written.
META-INF/services/org.apache.hadoop.security.SecurityInfo resource lists.
[ ] the
SecurityInfo subclass written
PolicyProvider subclass written.
[ ] RPC server handed
PolicyProvider subclass during setup.
[ ] Service verifies that caller has authorization for the action before executing it.
[ ] Service records authorization failures to audit log.
[ ] Service records successful action to audit log.
[ ] Uses
doAs() to perform operations as the user making the RPC call.
HADOOP_USER env variable set on AM launch context in insecure clusters, and in launched containers.
[ ] In secure cluster: all delegation tokens needed (HDFS, Hive, HBase, Zookeeper) created and added to launch context.
[ ] Delegation tokens extracted and saved.
[ ] When launching containers, the relevant subset of delegation tokens are passed to the containers. (This normally omits the RM/AM token).
[ ] Container Credentials are retrieved in AM and containers.
[ ] Delegation tokens revoked during (managed) teardown.
YARN Web UIs and REST endpoints
[ ] Primary Web server:
AmFilterInitializer used to redirect requests to the RM Proxy.
[ ] Other web servers: a custom authentication strategy is chosen and implemented.
[ ] A strategy for token renewal is chosen and implemented
AuthenticationFilter added to web filter chain
[ ] Token renewal policy defined and implemented. (Look at
TimelineClientImpl for an example of this)
[ ] Supports keytab login and calls
UserGroupInformation.loginUserFromKeytab(principalName, keytabFilename) during initialization.
[ ] Issues
UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab() call during connection setup/token reset. This is harmless on an insecure or non-keytab client.
[ ] Client supports Authentication Token option
[ ] Client supports Delegation Token option. (not so relevant for most YARN clients)
[ ] For Delegation-token authenticated connections, something runs in the background to regularly update delegation tokens.
[ ] Tested against secure clusters with user logged out (kdestroy).
[ ] Logs basic security operations at INFO, with detailed operations at DEBUG level.
[ ] Jersey: URL constructor handles SPNEGO Auth
[ ] Code invoking Jersey Client reacts to 401/403 exception responses when using Authentication Token by deleting creating a new Auth Token and re-issuing request. (this triggers re-authentication)
[ ] host has an IP address (
[ ] host has an FQDN:
[ ] FQDN resolves to hostname
[ ] hostname responds to pings
[ ] reverse DNS lookup of IPAddr returns hostname
[ ] clock is in sync with rest of cluster:
[ ] JVM has Java Crypto Extensions
[ ] keytab exists
[ ] keytab is readable by account running service.
[ ] keytab contains principals in listing
ktlist -kt $keytab
[ ] keytab FQDN is in entry of form