Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

ECS 3.6.2 Data Access Guide

PDF

Configure ECS nodes with the ECS service principal

The ECS service principal and its corresponding keytab file must reside on each ECS data node. You must use the Ansible playbooks provided to automate these steps.

You must have the following items before you can complete this procedure:
  • Access to the Ansible playbooks. Obtain the Ansible playbooks from the ECS HDFS software package as described in Obtain the ECS HDFS installation and support packages.
  • The list of ECS node IP addresses.
  • IP address of the KDC.
  • The DNS resolution where you run this script should be the same as the DNS resolution for the Hadoop host, otherwise the vipr/_HOST@REALM will not work.
ECS provides reusable Ansible content called 'roles', which consist of Python scripts, YAML-based task lists, and template files.
  • vipr_kerberos_config: Configures an ECS node for Kerberos.
  • vipr_jce_config: Configures an ECS data node for unlimited-strength encryption by installing JCE policy files.
  • vipr_kerberos_principal: Acquires a service principal for an ECS node.

In this procedure, Ansible is run on a Linux node running Ansible 2.9 or greater that has IP connectivity to the ECS nodes.

  1. Log in to a Linux node that has Ansible 2.9 or greater installed and has IP connectivity to the ECS cluster, and copy the hdfsclient-<ECS version>-<version>.zip file to that node.
    For example: /home/admin/ecs.ansible. You can use wget to obtain the package directly from support.emc.com or you can use scp if you have downloaded it to another machine.
  2. Unzip the hdfsclient-<ECS version>-<version>.zip file.
    The steps in this procedure use the playbooks contained in the viprfs-client-<ECS version>-<version>/playbooks/samples directory and the steps are also contained in viprfs-client-<ECS version>-<version>/playbooks/samples/README.md.
  3. Edit the inventory.txt file in the playbooks/samples directory to refer to the ECS data nodes and the KDC server.
    The default entries are shown below. 
    [data_nodes]
192.168.2.[100:200] 

[kdc]
192.168.2.10
  4. Download the unlimited JCE policy archive from oracle.com, and extract it to an UnlimitedJCEPolicy directory in viprfs-client-<ECS version>-<version>/playbooks/samples.
    NOTE: You should only perform this step if you are using strong encryption type.
    You can configure Kerberos to use a strong encryption type, such as AES-256. In that case, you must reconfigure the JRE within the ECS nodes to use the policy.
  5. Change to the working directory in the container.
    For example: 
    cd /home/admin/ecs.ansible/viprfs-client-<ECS version>-<version>/playbooks
  6. Create a requirements.yml file in the playbooks directory as below (use appropriate ECS version for the version field). 
    - src: vipr_common.tar.gz
  version: 3.3.0.1
  name: vipr_common

- src: vipr_jce_config.tar.gz
  version: 3.3.0.1
  name: vipr_jce_config

- src: vipr_kerberos_config.tar.gz
  version: 3.3.0.1
  name: vipr_kerberos_config

- src: vipr_kerberos_principal.tar.gz
  version: 3.3.0.1
  name: vipr_kerberos_principal
  7. Install the supplied Ansible roles. 
    ansible-galaxy install -r requirements.yml
  8. Cd samples then copy the krb5.conf file from the KDC or Hadoop node to the current directory.
  9. Edit the generate-vipr-keytabs.yml as necessary and set the domain name.
    NOTE: If you are using Active Directory instead of a KDC, you can skip this step and perform the next step.
    For example: 
    [root@nile3-vm22 samples]# cat generate-vipr-keytabs.yml
---
###
# Generates keytabs for ViPR/ECS data nodes.
###
  
- hosts: data_nodes
  serial: 1
  
  roles:
    - role: vipr_kerberos_principal
      kdc: "{{ groups.kdc | first }}"
      principals:
        - name: vipr/_HOST@MA.EMC.COM
          keytab: keytabs/_HOST@MA.EMC.COM.keytab

    In this example, the default value (vipr/_HOST@EXAMPLE.COM) has been replaced with (vipr/_HOST@MA.EMC.COM) and the domain is MA.EMC.COM.

  10. Run the following command. 
    export ANSIBLE_HOST_KEY_CHECKING=False
  11. If you are using a KDC without Active Directory, run the Ansible playbook command in this step to generate the vipr keytabs, and then proceed to step 13. 
    ansible-playbook -v -k -i inventory.txt --user admin –b --become-user=root generate-vipr-keytabs.yml
  12. If you are using an Active Directory for authentication, you must first manually pre-create vipr service principals for every ECS node as follows.
    1. Create an Active Directory user: vipr/ECSFQDN.
    2. Run setspn command for every vipr principal as follows: 
      setspn -A vipr/FQDN REALM\ECSHOSTNAME
    3. Run ktpass for every vipr principal as follows. 
      ktpass /princ vipr/ECSFQDN@REALM /pass +rndpass /mapuser HADOOP\HOSTNAME /out ECSFQDN@REALM.keytab /crypto ALL /ptype KRB5_NT_PRINCIPAL
    4. Copy all the keytab files generated to the Ansible host and move them to the keytabs directory located in samples.
    NOTE: In these steps, ECSFQDN/FQDN is the ECS fully qualified domain name, REALM is the Hadoop krb5.conf REALM, and HOSTNAME is the ECS hostname without the domain.
  13. Edit the setup-vipr-kerberos.yml file as necessary.
    The default file contents are shown below. 
    # cat setup-vipr-kerberos.yml

---
### 
# Configures ViPR/ECS for Kerberos authentication.
# - Configures krb5 client 
# - Installs keytabs
# - Installs JCE policy
###
 
 - hosts: data_nodes
 
   roles:
     - role: vipr_kerberos_config
       krb5:
         config_file: krb5.conf
       service_principal:
         name: vipr/_HOST@EXAMPLE.COM
         keytab: keytabs/_HOST@EXAMPLE.COM.keytab

     - role: vipr_jce_config
       jce_policy: 
         name: unlimited
         src: UnlimitedJCEPolicy/

    In this example, the default value (vipr/_HOST@EXAMPLE.COM) has been replaced with (vipr/_HOST@MA.EMC.COM) and the domain is MA.EMC.COM.

    NOTE: You must remove the vipr_jce_config role if you are not using strong encryption type.
  14. Run the Ansible playbook to configure the data nodes with the ECS service principal.
    Make sure the /ansible/samples/keytab directory exists and the krb5.conf file is in the working directory /ansible/samples. 
    ansible-playbook -v -k -i inventory.txt --user admin –b --become-user=root setup-vipr-kerberos.yml
    Verify that the correct ECS service principal, one per data node, has been created (from the KDC): 
    # kadmin.local -q "list_principals" | grep vipr
vipr/nile3-vm42.centera.lab.emc.com@MA.EMC.COM
vipr/nile3-vm43.centera.lab.emc.com@MA.EMC.COM
    Verify that the correct keytab is generated and stored in the location: /data/hdfs/krb5.keytab on all ECS data nodes. You can use the strings command on the keytab to extract the human readable text, and verify that it contains the correct principal. For example: 
    dataservice-10-247-199-69:~ # strings /data/hdfs/krb5.keytab
MA.EMC.COM
vipr
nile3-vm42.centera.lab.emc.com

    In this case, the principal is vipr/nile3-vm42.centera.lab.emc.com.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\