Query data from a high-security cluster - E-MapReduce - Alibaba Cloud Documentation Center

A high-security cluster refers to a cluster with Kerberos authentication enabled. If you enable Kerberos authentication for your cluster, you must use a valid Kerberos credential for authentication when you query data from the cluster. To ensure that you have the required permissions to query data from a high-security cluster, we recommend that you follow the procedure in this topic to configure a StarRocks cluster.

Prerequisites

A cluster that contains the Hadoop Distributed File System (HDFS) and Hive services is created and Kerberos Authentication is turned on for the cluster. For example, you can create a DataLake cluster or a custom cluster. For more information, see Create a cluster.
Note
In this example, a DataLake cluster is created.
A StarRocks cluster is created. For more information, see Create a StarRocks cluster.

Limits

The preceding clusters must be deployed in the same virtual private cloud (VPC) and zone.

Procedure

Step 1: Modify the krb5.conf file of the StarRocks cluster

Log on to the nodes on which the Frontend (FE) and Backend (BE) components are installed as the root user. Then, modify the /etc/krb5.conf file of the nodes to ensure consistency with the /etc/krb5.conf file of the master-1-1 node of the DataLake cluster.

Note

You can view information about the nodes on which the FE and BE components are installed on the Status tab of the StarRocks service page of the StarRocks cluster in the E-MapReduce (EMR) console.

Step 2: Create a principal

Log on to the master-1-1 node of the StarRocks cluster. For more information, see Log on to a cluster.
Run the kadmin command and enter the password. The Kerberos administration tool is opened.
Note
The password is the value of the admin_pwd parameter for the Kerberos service. You can obtain the value on the Configure tab of the Kerberos service page of the cluster in the EMR console.
Run the following command to create a principal whose username is starrocks:
```
addprinc -pw <password> starrocks
```
Record the username and password, which are required when you create a ticket-granting ticket (TGT).
Run the quit command to exit the Kerberos administration tool.

Step 3: Verify the principal

Log on to the nodes on which the FE and BE components are installed as the root user. Then, perform the following operations:

Run the su - starrocks command to switch to the starrocks user.
Run the kinit command and enter the password that you configured when you created the principal.
Run the klist command. If Default principal: starrocks@EMR. C- xxx.COM appears, the principal is created.

Step 4: Add configuration items

Go to the Configure tab of the StarRocks service page.
1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
3. On the EMR on ECS page, find the desired cluster and click Services in the Actions column.
4. On the Services tab, find the StarRocks service and click Configure.
Add a configuration item on the core-site.xml tab.
1. On the Configure tab of the StarRocks service page, click the core-site.xml tab.
2. Add a configuration item to the core-site.xml file. The following table describes the configuration item.
  Configuration item
  Description
  hadoop.security.authentication
  Set the value to KERBEROS.

Add configuration items on the hdfs-site.xml tab.

On the Configure tab of the StarRocks service page, click the hdfs-site.xml tab.

Add configuration items to the hdfs-site.xml file. The following table describes the configuration items.

Configuration item	Description
dfs.data.transfer.protection	Set the configuration item to the same value as the corresponding configuration item in the hdfs-site.xml file of the HDFS service in the DataLake cluster.
dfs.datanode.kerberos.principal	Set the configuration item to the same value as the corresponding configuration item in the hdfs-site.xml file of the HDFS service in the DataLake cluster.
dfs.namenode.kerberos.principal	Set the configuration item to the same value as the corresponding configuration item in the hdfs-site.xml file of the HDFS service in the DataLake cluster.

Add configuration items on the hive-site.xml tab.

On the Configure tab of the StarRocks service page, click the hive-site.xml tab.

Add configuration items to the hive-site.xml file. The following table describes the configuration items.

Configuration item	Description
hive.metastore.sasl.enabled	Set the configuration item to the same value as the corresponding configuration item in the hive-site.xml file of the Hive service in the DataLake cluster.
hive.metastore.kerberos.principal	Set the configuration item to the same value as the corresponding configuration item in the hive-site.xml file of the Hive service in the DataLake cluster.

Save the configurations.
1. On the Configure tab of the StarRocks service page, click Save.
2. In the dialog box that appears, configure the Execution Reason parameter and click Save.
Restart the StarRocks service.
1. In the upper-right corner of the StarRocks service page, choose More > Restart.
2. In the dialog box that appears, configure the Execution Reason parameter and click OK.
3. In the message that appears, click OK.
  After the StarRocks service is restarted, you can use the StarRocks cluster to query data from the cluster for which Kerberos authentication is enabled.

Configuration item	Description
hadoop.security.authentication	Set the value to KERBEROS.