Contents:
This section describes how to configure the Designer Cloud Powered by Trifacta® platform for integration with KMS system for Hortonworks Data Platform. It assumes that access to the cluster is gated by Ranger.
Before you begin, please verify the pre-requisites. See Configure for KMS.
Configure Hadoop Cluster
NOTE: These changes should be applied through the management console for the Hadoop cluster before pushing the client configuration files to the nodes of the cluster. In the following sections: In Ambari on the Hortonworks cluster, navigate to Configs > Advanced > kms-site. Add the following properties: If you are using Ranger's Key Management System, additional configuration is required. NOTE: These changes apply to the Hortonworks cluster only. Make changes through Ambari; avoid editing configuration files directly. Configuration files do not need to be shared with the Designer Cloud Powered by Trifacta platform. If you are using Hive, please add the Hive users and groups information to If Kerberos is deployed, edit If you are using Kerberos KMS authentication, verify the following properties in NOTE: The following changes need to be applied to the Hortonworks cluster configuration files and then shared with the Alteryx node. For more information on the files required by the platform, see Configure for Hadoop. Edit Edit NOTE: The following changes is required only if Ranger's KMS system is enabled. If so, this change enables access to files that are stored in secured folders. Edit NOTE: If the existing value is Save the files.[hadoop.user
(default=trifacta
)]
- the userID accessing the cluster component[hadoop.group
(default=trifactausers
)]
-the appropriate group of user accessing the cluster componentAdd Alteryx user properties to KMS site file
<property>
<name>hadoop.kms.proxyuser.[hadoop.user].users</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.[hadoop.user].groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.[hadoop.user].hosts</name>
<value>*</value>
</property>
Configuration for Ranger
KMS Configuration for Hive
kms-site.xml
:<property>
<name>hadoop.kms.proxyuser.[hadoop.user].users</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.[hadoop.user].groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.[hadoop.user].hosts</name>
<value>*</value>
</property>
Verify Kerberos authentication for KMS
kms-site.xml
and verify the following properties in kms-site.xml
:<property>
<name>hadoop.kms.authentication.type</name>
<value>kerberos</value>
<description> Authentication type for the KMS. Can be either "simple" or "kerberos".</description>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
<description> Path to the keytab with credentials for the configured Kerberos principal.</description>
</property>
<property>
<name>hadoop.kms.authentication.kerberos.principal</name>
<value>HTTP/FQDN for KMS host@YOUR HADOOP REALM</value>
<description> The Kerberos principal to use for the HTTP endpoint. The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.</description>
</property>
Verify users for KMS
kms-site.xml
:<property>
<name>hadoop.kms.proxyuser.hdfs.users</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.hdfs.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.kms.proxyuser.hdfs.hosts</name>
<value>*</value>
</property>
Configure connection to the KMS node
Changes to
core-site.xml
for KMScore-site.xml
and make the following change:hadoop.security.key.provider.path=kms://http@<KMS_HOST>:9292/kms
Changes to
hdfs-site.xml
for KMShdfs-site.xml
and make the following change:dfs.encryption.key.provider.uri=kms://http@<KMS_HOST>:9292/kms
Changes
dbks-site.xml
for KMSdbks-site.xml
and make the following change:hdfs
, you may leave it as-is.update property hadoop.kms.blacklist.DECRYPT_EEK='-'
Validate
After the configuration is complete, you can try to import a dataset from a source stored in a cluster location managed by KMS, assuming that any required authentication configuration has been completed. See Import Data Page.
For more information, see Configure Hadoop Authentication.
This page has no comments.