When Kerberos is activated for your HDFS filesystem, the PXF Service, as an HDFS client, requires a principal and keytab file to authenticate access to HDFS. To read or write files on a secure HDFS, you must create and deploy Kerberos principals and keytabs for PXF, and ensure that Kerberos authentication is activated and functioning.

PXF accesses a secured Hadoop cluster on behalf of Greenplum Database end users. Impersonation is a way to present a Greenplum end user identity to a remote system. You can achieve this on a secured Hadoop cluster with PXF by configuring a Hadoop proxy user or using Kerberos constrained delegation.

The identity with which PXF accesses a Kerberos-secured Hadoop depends on the settings of the following properties:

You configure these setting for a Hadoop PXF server via the pxf-site.xml configuration file. Refer to About the pxf-site.xml Configuration File for more information about the configuration properties in this file.

Note: PXF supports simultaneous access to multiple Kerberos-secured Hadoop clusters.

About Kerberos Constrained Delegation

Kerberos constrained delegation is a feature that allows an administrator to specify trust boundaries that restrict the scope of where an application can act on behalf of a user. You may choose to configure PXF to use Kerberos constrained delegation when you want to manage user impersonation privileges in a directory service without the need to specify a proxy Hadoop user. Refer to the Microsoft Service for User (S4U) Kerberos protocol extension documentation for more information about Kerberos constrained delegation.

When your AD or IPA server is configured appropriately and you activate Kerberos constrained delegation for PXF, the PXF service requests and obtains a Kerberos ticket on behalf of the user, and uses the ticket to access the HDFS file system. PXF caches the ticket for one day.

PXF supports Kerberos Constrained Delegation only when you use the hdfs:* or hive:* profiles to access data residing in a Kerberos-secured Hadoop cluster.

By default, Kerberos constrained delegation is deactivated for PXF. To activate Kerberos constrained delegation for a specific PXF server, you must set pxf.service.kerberos-constrained.delegation to true in the server’s pxf-site.xml configuration file.

Prerequisites

Before you configure PXF for access to a secure HDFS filesystem, ensure that you have:

• Identified whether or not you plan to have PXF use Kerberos constrained delegation to access Hadoop.

• Configured a PXF server for the Hadoop cluster, and can identify the server configuration name.

• Configured and started PXF as described in Configuring PXF.

• Verified that Kerberos is activated for your Hadoop cluster.

• Verified that the HDFS configuration parameter dfs.block.access.token.enable is set to true. You can find this setting in the hdfs-site.xml configuration file on a host in your Hadoop cluster.

• Noted the host name or IP address of each Greenplum Database host (<gphost>) and the Kerberos Key Distribution Center (KDC) <kdc-server> host.

• Noted the name of the Kerberos <realm> in which your cluster resides.

• Installed the Kerberos client packages on each Greenplum Database host if they are not already installed. You must have superuser permissions to install operating system packages. For example:

  root@gphost$ rpm -qa | grep krb
  root@gphost$ yum install krb5-libs krb5-workstation
  

Ensure that you meet these additional prerequisites when PXF uses Kerberos constrained delegation:

• S4U is activated in the AD or IPA server.

• The AD or IPA server is configured to allow the PXF Kerberos principal to impersonate end users.

Use Cases and Configuration Scenarios

The following scenarios describe the use cases and configuration required when you use PXF to access a Kerberos-secured Hadoop cluster.

Note: These scenarios assume that gpadmin is the PXF process owner.

Accessing Hadoop as the Greenplum User

Proxied by the Kerberos Principal

In this configuration, PXF accesses Hadoop as the Greenplum user proxied by the Kerberos principal. The Kerberos principal is the Hadoop proxy user and accesses Hadoop as the Greenplum user.

This is the default configuration for a Hadoop PXF server.

The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:

Using Kerberos Constrained Delegation

In this configuration, PXF uses Kerberos constrained delegation to request and obtain a ticket on behalf of the Greenplum user, and uses the ticket to access Hadoop.

The following table identifies the impersonation and service user settings, and the PXF and directory service configuration required for this use case; no Hadoop configuration is required:

Accessing Hadoop as the Kerberos Principal

In this configuration, PXF accesses Hadoop as the Kerberos principal. A query initiated by any Greenplum user appears on the Hadoop side as originating from the Kerberos principal.

The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:

Accessing Hadoop as a <custom> User

Proxied by the Kerberos Principal

In this configuration, PXF accesses Hadoop as a <custom> user (for example, hive). The Kerberos principal is the Hadoop proxy user. A query initiated by any Greenplum user appears on the Hadoop side as originating from the <custom> user.

The following table identifies the impersonation and service user settings, and the PXF and Hadoop configuration required for this use case:

Note: PXF does not support accessing a Kerberos-secured Hadoop cluster with a <custom> user impersonating Greenplum users. PXF requires that you impersonate Greenplum users using the Kerberos principal.

Using Kerberos Constrained Delegation

In this configuration, PXF uses Kerberos constrained delegation to request and obtain a ticket on behalf of a <custom> user, and uses the ticket to access Hadoop.

The following table identifies the impersonation and service user settings, and the PXF and directory service configuration required for this use case; no Hadoop configuration is required:

Procedures

There are different procedures for configuring PXF for secure HDFS with a Microsoft Active Directory KDC Server vs. with an MIT Kerberos KDC Server.

Configuring PXF with a Microsoft Active Directory Kerberos KDC Server

When you configure PXF for secure HDFS using an AD Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.

Perform the following steps to configure the Active Directory domain controller:

1. Start Active Directory Users and Computers.
2. Expand the forest domain and the top-level UNIX organizational unit that describes your Greenplum user domain.
3. Select Service Accounts, right-click, then select New->User.
4. Type a name, for example: ServiceGreenplumPROD1, and change the login name to gpadmin. Note that the login name should be in compliance with POSIX standard and match hadoop.proxyuser.<name>.hosts/groups in the Hadoop core-site.xml and the Kerberos principal.
5. Type and confirm the Active Directory service account password. Select the User cannot change password and Password never expires check boxes, then click Next. For security reasons, if you can’t have Password never expires checked, you will need to generate new keytab file (step 7) every time you change the password of the service account.
6. Click Finish to complete the creation of the new user principal.

7. Open Powershell or a command prompt and run the ktpass command to generate the keytab file. For example:

   powershell#>ktpass -out pxf.service.keytab -princ gpadmin@EXAMPLE.COM -mapUser ServiceGreenplumPROD1 -pass ******* -crypto all -ptype KRB5_NT_PRINCIPAL
   

   With Active Directory, the principal and the keytab file are shared by all Greenplum Database hosts.

8. Copy the pxf.service.keytab file to the Greenplum master host.

Perform the following procedure on the Greenplum Database master host:

1. Log in to the Greenplum Database master host. For example:

   $ ssh gpadmin@<gpmaster>
   

2. Identify the name of the PXF Hadoop server configuration, and navigate to the server configuration directory. For example, if the server is named hdp3:

   gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
   

3. If the server configuration does not yet include a pxf-site.xml file, copy the template file to the directory. For example:

   gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
   

4. Open the pxf-site.xml file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. For example:

   <property>
       <name>pxf.service.kerberos.principal</name>
       <value>gpadmin@EXAMPLE.COM</value>
   </property>
   <property>
       <name>pxf.service.kerberos.keytab</name>
       <value>${pxf.conf}/keytabs/pxf.service.keytab</value>
   </property>
   

5. Save the file and exit the editor.

6. Synchronize the keytabs in $PXF_BASE. You must distribute the keytab file to $PXF_BASE/keytabs/. Locate the keytab file, copy the file to the $PXF_BASE runtime configuration directory, and set required permissions. For example:

   gpadmin@gpmaster$ gpscp -f hostfile_all pxf.service.keytab =:$PXF_BASE/keytabs/
   gpadmin@gpmaster$ gpssh -f hostfile_all chmod 400 $PXF_BASE/keytabs/pxf.service.keytab
   

7. Complete the PXF Configuration based on your chosen Hadoop access scenario.

Configuring PXF with an MIT Kerberos KDC Server

When you configure PXF for secure HDFS using an MIT Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.

Perform the following steps on the MIT Kerberos KDC server host:

1. Log in to the Kerberos KDC server as the root user.

   $ ssh root@<kdc-server>
   root@kdc-server$ 
   

2. Distribute the /etc/krb5.conf Kerberos configuration file on the KDC server host to each host in your Greenplum Database cluster if not already present. For example:

   root@kdc-server$ scp /etc/krb5.conf <gphost>:/etc/krb5.conf
   

3. Use the kadmin.local command to create a Kerberos PXF Service principal for each Greenplum Database host. The service principal should be of the form gpadmin/<gphost>@<realm> where <gphost> is the DNS resolvable, fully-qualified hostname of the host system (output of the hostname -f command).

   For example, these commands create Kerberos PXF Service principals for the hosts named host1.example.com, host2.example.com, and host3.example.com in the Kerberos realm named EXAMPLE.COM:

   root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host1.example.com@EXAMPLE.COM"
   root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host2.example.com@EXAMPLE.COM"
   root@kdc-server$ kadmin.local -q "addprinc -randkey -pw changeme gpadmin/host3.example.com@EXAMPLE.COM"
   

4. Generate a keytab file for each PXF Service principal that you created in the previous step. Save the keytab files in any convenient location (this example uses the directory /etc/security/keytabs). You will deploy the keytab files to their respective Greenplum Database host machines in a later step. For example:

   root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host1.service.keytab gpadmin/host1.example.com@EXAMPLE.COM"
   root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host2.service.keytab gpadmin/host2.example.com@EXAMPLE.COM"
   root@kdc-server$ kadmin.local -q "xst -norandkey -k /etc/security/keytabs/pxf-host3.service.keytab gpadmin/host3.example.com@EXAMPLE.COM"
   

   Repeat the xst command as necessary to generate a keytab for each PXF Service principal that you created in the previous step.

5. List the principals. For example:

   root@kdc-server$ kadmin.local -q "listprincs"
   

6. Copy the keytab file for each PXF Service principal to its respective host. For example, the following commands copy each principal generated in step 4 to the PXF default keytab directory on the host when PXF_BASE=/usr/local/pxf-gp6:

   root@kdc-server$ scp /etc/security/keytabs/pxf-host1.service.keytab host1.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ scp /etc/security/keytabs/pxf-host2.service.keytab host2.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ scp /etc/security/keytabs/pxf-host3.service.keytab host3.example.com:/usr/local/pxf-gp6/keytabs/pxf.service.keytab
   

   Note the file system location of the keytab file on each PXF host; you will need this information for a later configuration step.

7. Change the ownership and permissions on the pxf.service.keytab files. The files must be owned and readable by only the gpadmin user. For example:

   root@kdc-server$ ssh host1.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ ssh host1.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ ssh host2.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ ssh host2.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ ssh host3.example.com chown gpadmin:gpadmin /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   root@kdc-server$ ssh host3.example.com chmod 400 /usr/local/pxf-gp6/keytabs/pxf.service.keytab
   

Perform the following steps on the Greenplum Database master host:

1. Log in to the master host. For example:

   $ ssh gpadmin@<gpmaster>
   

2. Identify the name of the PXF Hadoop server configuration that requires Kerberos access.

3. Navigate to the server configuration directory. For example, if the server is named hdp3:

   gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
   

4. If the server configuration does not yet include a pxf-site.xml file, copy the template file to the directory. For example:

   gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
   

5. Open the pxf-site.xml file in the editor of your choice, and update the keytab and principal property settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. The default values for these settings are identified below:

   <property>
       <name>pxf.service.kerberos.principal</name>
       <value>gpadmin/_HOST@EXAMPLE.COM</value>
   </property>
   <property>
       <name>pxf.service.kerberos.keytab</name>
       <value>${pxf.conf}/keytabs/pxf.service.keytab</value>
   </property>
   

   PXF automatically replaces _HOST with the FQDN of the host.

6. Complete the PXF Configuration based on your chosen Hadoop access scenario.

Completing the PXF Configuration

On the Greenplum Database master host, complete the configuration of the PXF server based on your chosen Hadoop access scenario. Choose one, as these are mutually exclusive:

1. If you want to access Hadoop as the Greenplum Database user:

   1. Activate user impersonation as described in Configure PXF User Impersonation (this is the default setting).
   2. If you want to use Kerberos constrained delegation, activate it for the server, and configure AD or IPA to provide the PXF Kerberos principal with the delegation rights for the Greenplum end users.
   3. If you did not activate Kerberos constrained delegation, configure Hadoop proxying for the primary component of the Kerberos principal as described in Configure Hadoop Proxying. For example, if your principal is gpadmin/_HOST@EXAMPLE.COM, configure proxying for the Hadoop user gpadmin.

2. If you want to access Hadoop using the identity of the Kerberos principal, deactivate user impersonation as described in Configure PXF User Impersonation.

3. If you want to access Hadoop as a custom user:

   1. Deactivate user impersonation as described in Configure PXF User Impersonation.
   2. Configure the custom user name as described in Configure the Hadoop User.
   3. If you want to use Kerberos constrained delegation, activate it for the server, and configure AD or IPA to provide the PXF Kerberos principal with the delegation rights for the custom user.
   4. If you did not activate Kerberos constrained delegation, configure Hadoop proxying for the primary component of the Kerberos principal as described in Configure Hadoop Proxying. For example, if your principal is gpadmin/_HOST@EXAMPLE.COM, configure proxying for the Hadoop user gpadmin.

4. Synchronize the PXF configuration to your Greenplum Database cluster:

   gpadmin@gpmaster$ pxf cluster sync
   

Activating Kerberos Constrained Delegation

By default, Kerberos constrained delegation is deactivated for PXF. Perform the following procedure to configure Kerberos constrained delegation for a PXF server:

1. Log in to your Greenplum Database master host as the administrative user:

   $ ssh gpadmin@<gpmaster>
   

2. Identify the name of the Hadoop PXF server configuration that you want to update.

3. Navigate to the server configuration directory. For example, if the server is named hdp3:

   gpadmin@gpmaster$ cd $PXF_BASE/servers/hdp3
   

4. If the server configuration does not yet include a pxf-site.xml file, copy the template file to the directory. For example:

   gpadmin@gpmaster$ cp <PXF_INSTALL_DIR>/templates/pxf-site.xml .
   

5. Open the pxf-site.xml file in the editor of your choice, locate the pxf.service.kerberos-constrained.delegation property, and set it as follows:

   <property>
       <name>pxf.service.kerberos-constrained.delegation</name>
       <value>true</value>
   </property>
   

6. Save the pxf-site.xml file and exit the editor.

7. Use the pxf cluster sync command to synchronize the PXF Hadoop server configuration to your Greenplum Database cluster:

   gpadmin@gpmaster$ pxf cluster sync