Disabling Kerberos Security

HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform different disable procedures for each.

Disable Kerberized HDFS for HAWQ/PXF

You will perform different procedures to disable HAWQ/PXF access to a previously-kerberized HDFS depending upon whether you manage your cluster from the command line or use Ambari to manage your cluster.

Procedure for Ambari-Managed Clusters

If you manage your cluster using Ambari, you will disable Kerberos authentication for your cluster as described in the How To Disable Kerberos Hortonworks documentation. Ambari will guide you through the de-kerberization process, including removing/updating any authentication-related configuration in your cluster.

Procedure for Command-Line-Managed Clusters

If you manage your cluster from the command line, follow these instructions to disable HDFS Kerberos security for HAWQ and PXF.

  1. Disable Kerberos on the Hadoop cluster on which you use HAWQ.
  2. Disable security for HAWQ:

    1. Login to the HAWQ database master server as the gpadmin user and set up your HAWQ environment:

      $ ssh gpadmin@<master>
      gpadmin@master$ . /usr/local/hawq/greenplum_path.sh
      
    2. Start HAWQ if necessary:

      gpadmin@master$ hawq start cluster
      
    3. Update HAWQ configuration to disable security:

      gpadmin@master$ hawq config -c enable_secure_filesystem -v “off”
      
    4. Change the permission of the HAWQ HDFS data directory:

      gpadmin@master$ sudo -u hdfs hdfs dfs -chown -R gpadmin:gpadmin /<hawq_data_hdfs_path>
      
    5. On the HAWQ master node and on all segment server nodes, edit the /usr/local/hawq/etc/hdfs-client.xml file to disable kerberos security. Comment or remove the following properties in each file:

      <!--
      <property>
        <name>hadoop.security.authentication</name>
        <value>kerberos</value>
      </property>
      
      <property>
        <name>dfs.namenode.kerberos.principal</name>
        <value>nn/_HOST@LOCAL.DOMAIN</value>
      </property>
      -->
      
    6. Restart HAWQ:

      gpadmin@master$ hawq restart cluster -a -M fast
      
  3. Disable security for PXF. Perform these steps on each PXF node:

    1. Edit the /etc/pxf/conf/pxf-site.xml to comment out or remove the following properties:

      <!--
      <property>
          <name>pxf.service.kerberos.keytab</name>
          <value>/etc/security/keytab/pxf.service.keytab</value>
          <description>path to keytab file owned by pxf service
          with permissions 0400</description>
      </property>
      
      <property>
          <name>pxf.service.kerberos.principal</name>
          <value>pxf/_HOST@HDB.LOCAL</value>
          <description>Kerberos principal pxf service should use.
          _HOST is replaced automatically with hostnames
          FQDN</description>
      </property>
      -->
      
    2. Restart the PXF service.

      root@pxf-node$ service pxf-service restart
      

Disable Kerberos User Authentication for HAWQ

Perform the following procedure to disable Kerberos user authentication for HAWQ.

  1. Comment out or remove the pg_hba.conf entry that mandates Kerberos authentication for HAWQ. The pg_hba.conf file resides in the directory specified by the hawq_master_directory server configuration parameter value. For example, comment out:

    #host all all 0.0.0.0/0 gss include_realm=0 krb_realm=REALM.DOMAIN
    
  2. Update the pg_hba.conf file to configure non-Kerberos access restrictions for all your HAWQ users.

  3. Reload HAWQ configuration:

    gpadmin@master$ hawq stop master --reload
    
  4. Notify your HAWQ users that kinit ticket requests are no longer required to authenticate to HAWQ.