Disabling Kerberos Security
HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform different disable procedures for each.
Disable Kerberized HDFS for HAWQ/PXF
You will perform different procedures to disable HAWQ/PXF access to a previously-kerberized HDFS depending upon whether you manage your cluster from the command line or use Ambari to manage your cluster.
Procedure for Ambari-Managed Clusters
If you manage your cluster using Ambari, you will disable Kerberos authentication for your cluster as described in the How To Disable Kerberos Hortonworks documentation. Ambari will guide you through the de-kerberization process, including removing/updating any authentication-related configuration in your cluster.
Procedure for Command-Line-Managed Clusters
If you manage your cluster from the command line, follow these instructions to disable HDFS Kerberos security for HAWQ and PXF.
- Disable Kerberos on the Hadoop cluster on which you use HAWQ.
Disable security for HAWQ:
Login to the HAWQ database master server as the
gpadmin
user and set up your HAWQ environment:$ ssh gpadmin@<master> gpadmin@master$ . /usr/local/hawq/greenplum_path.sh
Start HAWQ if necessary:
gpadmin@master$ hawq start cluster
Update HAWQ configuration to disable security:
gpadmin@master$ hawq config -c enable_secure_filesystem -v “off”
Change the permission of the HAWQ HDFS data directory:
gpadmin@master$ sudo -u hdfs hdfs dfs -chown -R gpadmin:gpadmin /<hawq_data_hdfs_path>
On the HAWQ master node and on all segment server nodes, edit the
/usr/local/hawq/etc/hdfs-client.xml
file to disable kerberos security. Comment or remove the following properties in each file:<!-- <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> <property> <name>dfs.namenode.kerberos.principal</name> <value>nn/_HOST@LOCAL.DOMAIN</value> </property> -->
Restart HAWQ:
gpadmin@master$ hawq restart cluster -a -M fast
Disable security for PXF. Perform these steps on each PXF node:
Edit the
/etc/pxf/conf/pxf-site.xml
to comment out or remove the following properties:<!-- <property> <name>pxf.service.kerberos.keytab</name> <value>/etc/security/keytab/pxf.service.keytab</value> <description>path to keytab file owned by pxf service with permissions 0400</description> </property> <property> <name>pxf.service.kerberos.principal</name> <value>pxf/_HOST@HDB.LOCAL</value> <description>Kerberos principal pxf service should use. _HOST is replaced automatically with hostnames FQDN</description> </property> -->
Restart the PXF service.
root@pxf-node$ service pxf-service restart
Disable Kerberos User Authentication for HAWQ
Perform the following procedure to disable Kerberos user authentication for HAWQ.
Comment out or remove the
pg_hba.conf
entry that mandates Kerberos authentication for HAWQ. Thepg_hba.conf
file resides in the directory specified by thehawq_master_directory
server configuration parameter value. For example, comment out:#host all all 0.0.0.0/0 gss include_realm=0 krb_realm=REALM.DOMAIN
Update the
pg_hba.conf
file to configure non-Kerberos access restrictions for all your HAWQ users.Reload HAWQ configuration:
gpadmin@master$ hawq stop master --reload
Notify your HAWQ users that
kinit
ticket requests are no longer required to authenticate to HAWQ.