Use secure impersonation with Hortonworks
This article explains how to configure the Pentaho Server to connect to a Hortonworks Hadoop 2.5 cluster to use secure impersonation. For an overview of secure impersonation, refer to Setting Up Big Data Security. The following sections will guide you through the setup and configuration process:
- Prerequisites
- Parameter configuration
- Configuring MapReduce Jobs (Windows-only)
- Next steps
Prerequisites
The following requirements must be met to use secure impersonation:
- The cluster must be secured with Kerberos, and the Kerberos server used by the cluster must be accessible to the Pentaho Server.
- The Pentaho computer must have Kerberos installed and configured as explained in Set Up Kerberos for Pentaho.
- Pentaho shims for client and server must be configured for each component as explained in Edit Secured Cluster Configuration Properties.
Parameter configuration
To configure the cluster for secure impersonation, stop the Pentaho Server and complete the following steps:
Procedure
Navigate to the pentaho-server\pentaho-solutions\system\kettle\plugins\pentaho-big-data-plugin\hadoop-configurations\hdp25 folder and open the config.properties file with a text editor.
Modify the config.properties file with the values in the following table:
Parameter Value pentaho.authentication.default.kerberos.principal exampleUser@EXAMPLE.COM
pentaho.authentication.default.kerberos.keytabLocation Set the Kerberos keytab. You only need to set the password or the keytab, not both. pentaho.authentication.default.kerberos.password Set the Kerberos password. You only need to set the password or the keytab, not both. pentaho.authentication.default.mapping.impersonation.type simple pentaho.authentication.default.mapping.server.credentials.kerberos.principal exampleUser@EXAMPLE.COM
pentaho.authentication.default.mapping.server.credentials.kerberos.keytabLocation You only need to set the password or the keytab, not both. pentaho.authentication.default.mapping.server.credentials.kerberos.password You only need to set the password or the keytab, not both. pentaho.oozie.proxy.user Add the proxy user's name if you plan to access the Oozie service through a proxy. Otherwise, leave it set to oozie. In this table,
exampleUser@EXAMPLE.COM
is provided as a sample of how you would specify your proxy user. If you have key-value pairs in your existing config.properties file that are not security related, merge those settings into the file.Save and close the config.properties file.
Copy the config.properties file to the following folders:
- design-tools/report-designer/plugins/pentaho-big-data-plugin/hadoop-configurations/hdp25/config.properties
- design-tools/metadata-editor/plugins/pentaho-big-data-plugin/hadoop-configurations/hdp25/config.properties
- design-tools/data-integration/plugins/pentaho-big-data-plugin/hadoop-configurations/hdp25/config.properties
Restart the Pentaho Server.
Configuring MapReduce jobs
Procedure
Navigate to the design-tools\data-integration\plugins\pentaho-big-data-plugin\hadoop-configurations\hdp25 folder and open the mapred-site.xml file with a text editor.
Navigate to the pentaho-server\pentaho-solutions\system\kettle\plugins\pentaho-big-data-plugin\hadoop-configurations\hdp25 folder and open the mapred-site.xml file with a text editor.
Add the following two properties to the two mapred-site.xml files:
<property> <name>mapreduce.app-submission.cross-platform</name> <value>true</value> </property> <property> <name>mapreduce.framework.name</name> <value>yarn</value> </property>
Save and close the files.
Next steps
When you save your changes in the repository and your Hadoop cluster is connected to the Pentaho Server, you can now ready to use secure impersonation to run your transformations and jobs from the Pentaho Server.
If you have not yet to connected your Hadoop cluster to the Pentaho Server, continue to the "Edit hbase-site.xml" section in Edit the Shim Configuration Files.