AnsweredAssumed Answered

MapR 5.0 secure/unsecure cluster questions

Question asked by midair77 on Jan 11, 2016
Latest reply on Jan 13, 2016 by midair77
Hi all,

Again I am a newbie with MapR and I have to say that I might have missed some of the information.  Please help me as I would like to set up MapR in a couple of scenarios to integrate our app with MapR.

0.  Is it possible to set up a vanilla Mapr 5.0 that use Pam to authenticate users without running configure.sh with -genkeys?  This is the output of configure.sh
[root@mapr-node1 server]# ./configure.sh
configure.sh is a tool to configure nodes in a MapR cluster and is
run on all nodes

Usage:

configure.sh  -C cldb_list  -Z zookeeper_list  [args]

configure.sh  -C cldb_list -M cldb_mh_list [-M cldb_mh_list ...] -Z zookeeper_list  [args]

configure.sh  client_only_mode  [refresh_roles] [args]

configure.sh  refresh_roles  [client_only_mode] [args]
...

    **-genkeys               - generate needs keys and certificates for first CLDB node**

    -certdomain <domain>   - override default DNS domain for generated SSL wild card certificates

    -nocerts               - do not generate certificates even if -genkeys specified
...
    -S | -secure           - secure cluster

                             default: non-secure

    -unsecure              - non-secure cluster
                             default: non-secure

    -K | -kerberosEnable   - Enable kerberos
                             default: disabled

I simply want an unsecure  cluster so I ran this in ansible:
/opt/mapr/server/configure.sh -N mapr5  --isvm --create-user -no-autostart -on-prompt-cont y -C {{ groups['mapr-cldb'][0] }} -Z {{ groups['mapr-zookeeper'][0] }},{{ groups['mapr-zookeeper'][1] }},{{ groups['mapr-zookeeper'][2] }} -HS {{ groups['mapr-historyserver'][0] }} -RM {{ groups['mapr-resourcemanager'][0] }} -noDB


But now as I wanted to use another user such as myuser and not mapr or root to access the cluster with "maprlogin password" I would get this error:

myuser# maprlogin password
ERROR: SSL trust store not found at /opt/mapr/conf/ssl_truststore.


It seems like the answer to this is that I must run -genkeys for the first (and only cldb in my setup) and do the magic of copying ssl related files to other non-cldb nodes. 

2. What is considered non-secure MapR cluster?
 In Apache hadoop, it seems to me that without authenticating with Kerberos/LDAP, a Unix user on the cluster can access the cluster. 

In MapR, running configure.sh with -genkeys -unsecure or just -genkeys (on the first CLDB, and without -genkeys for the rest) alone will get me an unsecure Mapr cluster.  Do I still have to set up PAM on the cluster or the control node and l have to use "maprlogin password" to allow non root or mapr user to access the MapR-FS?  What is the right definition for unsecure MapR cluster?  Please point me to the right literature.

 3.  Is it true that by running configure.sh -genkeys -secure on the first CLDB and with just -secure on the rest of the nodes will turn my cluster to a secure Mapr cluster?  For a secure mapr cluster, this can be done either through PAM (maprlogin password) or Kerberos (maprlogin kerberos)? 

 4. I have a private Certificate Authority in my environment and I can certainly create trust store ssl file for the first CLDB.  Should I be able to use this or stick with -genkeys?  In my environment, I have CDH, HDP clusters and I would like to have MapR and these to talk to each other.  In my other non-MapR nodes I already have these nodes trusted my private CA.  Please recommend the right ways to carry out this.

 5. Does MapR work well with configuration management tools like Puppet/Ansible/Salt/Chef?  Please point me to some information on how to use these with MapR.

 Thank you very much.


Outcomes