
Configure pass-through authentication in the configuration file
This topic describes how to edit indexes.conf
and impersonation.conf
so that Hunk users are able to act as Hadoop users. This lets you to give specific Hunk users the ability to submit MapReduce jobs as different Hadoop users to a specific queue. To configure pass-through authentication using the Hunk user interface, see Map Hunk pass-through authentication.
With pass-through authentication, Hunk uses the Hunk Superuser as a proxy to Hadoop, letting you interact with Hadoop as the Hadoop user. You can configure this to be a Hadoop user with the same name as the Hunk user, or a user with different name.
To learn more about how pass-through authentication works, see About pass-through authentication.
Configure Hadoop Cluster to support pass-through authentication
Once you enable pass-through authentication, interactions with Hadoop happen as the Hadoop user with the same name as the Hunk user who is logged in. Hadoop must be configured as follows to support this:
1. Make sure that any Hadoop user you want Hunk users to act as exists on each Hadoop node. You can manually create them or use LDAP to create them.
2. Ensure your Hunk Superuser is in the Hadoop Supergroup. You can find the Hadoop supergroup in the hdfs-site.xml
file as dfs.permissions.supergroup
.
If your Hunk Superuser is not in the Supergroup on each Hadoop node, use the following command to add the Superuser to the Supergroup on each node:
sudo usermod -G <group name> <user name>.
3. Create home directories in HDFS for the users in your Hadoop clusters, and ensure that provider's hadoop home (vix.splunk.home.hdfs) in hdfs is readable and executable by all the users added in step 2.
4. Add a stanza to core-site.xml
to allow the Hadoop user (with the same name as the hunk superuser) to act as a proxy for Hadoop users in designated node user groups:
Note: For best results, we recommend you do this against Kerberized clusters. For more information about using Kerberos, see Configure Kerberos Authentication.
<property> <name>hadoop.proxyuser.<name of your Hunk Superuser>.groups</name> <value>group1,group2</value> <description>Allows the Hunk superuser to impersonate any members of the group group1 and group2</description> </property>
5. Optionally limit connections by host:
<property> <name>hadoop.proxyuser.<name of your Hunk Superuser>.hosts</name> <value>host1,host2</value> <description>The superuser can connect only from host1 and host2 to impersonate a user</description> </property>
Configure pass-through authentication in Hunk
In the next steps, you can configure Hunk users to submit jobs to a specific queue and/or interact with Hadoop as a Hadoop user with a different name than the Hunk user logged in.
1. Turn on the feature in indexes.conf
for each provider:
[provider:myprovider] vix.splunk.impersonation = 1
2. Optionally map Hunk users to a specific alias and queue in HDFS by updating impersonation.conf
:
[provider:myprovider] admin = {"user": "hadoopadmin"} hunkuser1 = {"queue": "red"} [provider:mycdh] hunkuser1 = {"user": "hadoopuser", "queue": "blue"}
PREVIOUS Configure pass-through authentication in the Hunk user interface |
NEXT About archiving Splunk indexes |
This documentation applies to the following versions of Hunk®(Legacy): 6.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!