Kerberos and Sentry requirements

BDD supports integration with Kerberos 5+ and the version of Sentry included with your Hadoop distribution. If either or both of these are enabled for your Hadoop cluster, you must also enable them for BDD to ensure it can access the data it requires.

For more information on Kerberos and Sentry, see Security.

This procedure assumes you already have Kerberos and/or Sentry installed.

To enable Kerberos and Sentry:

Create the following directories in HDFS:
- /user/<BDD user>, where <BDD user> is the name of the Linux user that will install BDD (the BDD user).
- /user/<HDFS_DP_USER_DIR>, where <HDFS_DP_USER_DIR> is the value of HDFS_DP_USER_DIR in BDD's configuration file.
The owner of both directories must be the BDD user and their group must be supergroup.
Add the BDD user to the hive group.
For Kerberos:
1. Create a BDD principal.
  The primary component must be the name of the BDD user and the realm must be your default realm.
2. Generate a keytab file for the BDD principal and copy it to the install machine.
  The name and location of this file are arbitrary as the installer will rename it bdd.keytab and copy it to all BDD nodes.
3. Copy the krb5.conf file from one of your Hadoop nodes to the install machine.
  The location you put it in is arbitrary as the installer will copy it to /etc on all BDD nodes.
4. Install the kinit and kdestroy utilities on all BDD nodes.
5. Add the BDD user to the hdfs group on all BDD nodes.
6. Update the Kerberos-related properties in BDD's configuration file.
7. If you use HDP, set the hadoop.proxyuser.hive.groups property in core-site.xml to *.
  You can do this in Ambari.

For Sentry, create a new role for BDD:

create role <BDD_role>;
grant all on server server1 to role <BDD_role>;
show grant role <BDD_role>;
grant role <BDD_role> to group hive;

After installation, you can use the bdd-admin script to update your Kerberos configuration, if necessary. For more information, see the Administrator's Guide.