本文详细介绍了Hadoop安全配置的各项参数及其作用,包括服务级授权、认证方式、用户到组映射、RPC保护等关键设置。
<!--- security properties -->
<property> <name>hadoop.security.authorization</name> <value>false</value> <description>Is service-level authorization enabled?</description> </property>
注释:
<property> <name>hadoop.security.authentication</name> <value>simple</value> <description>Possible values are simple (no authentication), and kerberos </description> </property>
注释:
<property> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value> <description> Class for user to group mapping (get groups for a given user) for ACL </description> </property>
注释:
<property> <name>hadoop.security.groups.cache.secs</name> <value>300</value> <description> This is the config controlling the validity of the entries in the cache containing the user->group mapping. When this duration has expired, then the implementation of the group mapping provider is invoked to get the groups of the user and then cached back. </description> </property>
注释:
<property> <name>hadoop.security.service.user.name.key</name> <value></value> <description> For those cases where the same RPC protocol is implemented by multiple servers, this configuration is required for specifying the principal name to use for the service when the client wishes to make an RPC call. </description> </property>
注释:
<property> <name>hadoop.rpc.protection</name> <value>authentication</value> <description>This field sets the quality of protection for secured sasl connections. Possible values are authentication, integrity and privacy. authentication means authentication only and no integrity or privacy; integrity implies authentication and integrity are enabled; and privacy implies all of authentication, integrity and privacy are enabled. </description> </property>
注释:
<property> <name>hadoop.work.around.non.threadsafe.getpwuid</name> <value>false</value> <description>Some operating systems or authentication modules are known to have broken implementations of getpwuid_r and getpwgid_r, such that these calls are not thread-safe. Symptoms of this problem include JVM crashes with a stack trace inside these functions. If your system exhibits this issue, enable this configuration parameter to include a lock around the calls as a workaround. An incomplete list of some systems known to have this issue is available at http://wiki.apache.org/hadoop/KnownBrokenPwuidImplementations </description> </property>
注释:
<property> <name>hadoop.kerberos.kinit.command</name> <value>kinit</value> <description>Used to periodically renew Kerberos credentials when provided to Hadoop. The default setting assumes that kinit is in the PATH of users running the Hadoop client. Change this to the absolute path to kinit if this is not the case. </description> </property>
注释:
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
