Configure ECS nodes with the ECS service principal
The ECS service principal and its corresponding keytab file must reside on each ECS data node. You must use the Ansible playbooks provided to automate these steps.
You must have the following items before you can complete this procedure:
The DNS resolution where you run this script should be the same as the DNS resolution for the Hadoop host, otherwise the
vipr/_HOST@REALM will not work.
ECS provides reusable Ansible content called 'roles', which consist of Python scripts, YAML-based task lists, and template files.
vipr_kerberos_config: Configures an ECS node for Kerberos.
vipr_jce_config: Configures an ECS data node for unlimited-strength encryption by installing JCE policy files.
vipr_kerberos_principal: Acquires a service principal for an ECS node.
In this procedure, Ansible is run on a Linux node running Ansible 2.9 or greater that has IP connectivity to the ECS nodes.
Log in to a Linux node that has Ansible 2.9 or greater installed and has IP connectivity to the ECS cluster, and copy the
hdfsclient-<ECS version>-<version>.zip file to that node.
For example:
/home/admin/ecs.ansible. You can use
wget to obtain the package directly from support.emc.com or you can use
scp if you have downloaded it to another machine.
Unzip the
hdfsclient-<ECS version>-<version>.zip file.
The steps in this procedure use the playbooks contained in the
viprfs-client-<ECS version>-<version>/playbooks/samples directory and the steps are also contained in
viprfs-client-<ECS version>-<version>/playbooks/samples/README.md.
Edit the
inventory.txt file in the
playbooks/samples directory to refer to the ECS data nodes and the KDC server.
Download the
unlimited JCE policy archive from
oracle.com, and extract it to an
UnlimitedJCEPolicy directory in
viprfs-client-<ECS version>-<version>/playbooks/samples.
NOTE: You should only perform this step if you are using strong encryption type.
You can configure Kerberos to use a strong encryption type, such as AES-256. In that case, you must reconfigure the JRE within the ECS nodes to use the policy.
Change to the working directory in the container.
For example:
cd /home/admin/ecs.ansible/viprfs-client-<ECS version>-<version>/playbooks
Create a
requirements.yml file in the playbooks directory as below (use appropriate ECS version for the version field).
In this example, the default value (vipr/_HOST@EXAMPLE.COM) has been replaced with (vipr/_HOST@MA.EMC.COM) and the domain is
MA.EMC.COM.
Run the following command.
export ANSIBLE_HOST_KEY_CHECKING=False
If you are using a KDC without Active Directory, run the Ansible playbook command in this step to generate the vipr keytabs, and then proceed to step 13.
Copy all the keytab files generated to the Ansible host and move them to the keytabs directory located in samples.
NOTE: In these steps,
ECSFQDN/FQDN is the ECS fully qualified domain name,
REALM is the Hadoop
krb5.conf REALM, and
HOSTNAME is the ECS hostname without the domain.
Edit the
setup-vipr-kerberos.yml file as necessary.
Verify that the correct keytab is generated and stored in the location:
/data/hdfs/krb5.keytab on all ECS data nodes. You can use the
strings command on the keytab to extract the human readable text, and verify that it contains the correct principal. For example: