Generate MapR Tickets
To run mappings on a MapR cluster that uses Kerberos or MapR Ticket authentication with information in Hive tables, generate a MapR ticket for the following users:
- Data Integration Service User
- The Data Integration Service user requires an account on the MapR cluster and a MapR ticket on the Data Integration Service machine.
- When the MapR cluster uses both Kerberos and Ticket authentication, you generate a ticket for the Data Integration Service user for each authentication system.
- Developer Tool User
- The Developer tool user requires an account on the MapR cluster and a MapR ticket on the machine where the Developer tool is installed.
After you generate and save MapR tickets, you perform additional steps to configure application services to communicate with the MapR cluster.
Create the Developer Tool User
To enable the Developer tool to communicate with the MapR cluster, create and configure an account for the Developer tool user on every node in the cluster.
Generate Tickets
After you create a MapR user account for the Data Integration Service user and the Developer tool user, generate a MapR ticket for each user and save it to a local directory, depending on the user requirements that are listed below.
To generate a MapR ticket, refer to MapR documentation.
Data Integration Service User Ticket
Generate a MapR ticket for the Data Integration Service user. Name the ticket file using the following naming convention:
maprticket_<user name>
Save the ticket file in the /tmp directory of the machine that runs the Data Integration Service.
When the MapR cluster is configured to enable a user to use Kerberos authentication and MapR Ticket authentication, you generate a MapR ticketfile for the user for each authentication mode. Save one ticketfile in /tmp. Save the other ticketfile in any directory on the Data Integration Service machine, and provide the location as the value for the MAPR_TICKETFILE_LOCATION property in the Data Integration Service Process properties.
Developer Tool User Ticket
Generate a MapR ticket for the Developer tool user. Name the ticket file using the following naming convention:
maprticket_<user name>
Save the ticket file in the %TEMP% directory of the machine the runs the Developer tool.
Configure Informatica Application Services
Configure properties on the following Informatica application services:
- Data Integration Service
- When the MapR cluster is secured with MapR Kerberos authentication, edit Data Integration Service properties to enable communication between the Informatica domain and the cluster.
- Analyst Service
- If you use the Analyst tool to profile data in Hive data objects, configure properties on the Analyst Service to enable communication between the Analyst tool and the cluster, including testing of the Hive connection.
Configure the Data Integration Service
When the MapR cluster is secured with MapR Kerberos authentication, edit Data Integration Service properties to enable communication between the Informatica domain and the cluster.
Data Integration Service Properties
In the Administrator tool Domain Navigator, select the Data Integration Service to configure, then select the Properties tab.
In the Custom Properties area, define the following property value:
Property | Value |
|---|
ExecutionContextOptions.JVMOption1 | -Dmapr.library.flatclass |
Data Integration Service Process Properties
In the Administrator tool Domain Navigator, select the Data Integration Service to configure, and then select the Processes tab.
In the Custom Properties area, define the following properties and values:
Property | Value |
|---|
ExecutionContextOptions.JVMOption | -Djava.security.krb5.conf=<Informatica installation directory>/services/shared/security/krb5.conf |
ExecutionContextOptions.JVMOption1 | -Dmapr.library.flatclass |
ExecutionContextOptions.JVMOption2 | -Dhadoop.login=<MAPR_ECOSYSTEM_LOGIN_OPTS> -Dhttps.protocols=TLSv1.2 where <MAPR_ECOSYSTEM_LOGIN_OPTS> is the value of the MAPR_ECOSYSTEM_LOGIN_OPTS property in the file /opt/mapr/conf/env.sh. For example, -Dhadoop.login=hybrid |
ExecutionContextOptions.JVMOption7 | -Dhttps.protocols=TLSv1.2 |
In the Environment Variables area, configure the following property to define the Kerberos authentication protocol:
Property | Value |
|---|
JAVA_OPTS | -Dhadoop.login=<MAPR_ECOSYSTEM_LOGIN_OPTS> -Dhttps.protocols=TLSv1.2 where <MAPR_ECOSYSTEM_LOGIN_OPTS> is the value of the MAPR_ECOSYSTEM_LOGIN_OPTS property in the file /opt/mapr/conf/env.sh. |
MAPR_HOME | Hadoop distribution directory location on the machine that runs the Data Integration Service. For example, <Informatica installation directory>/services/shared/hadoop/mapr_5.2.0 |
MAPR_TICKETFILE_LOCATION | Optional. Directory where an additional MapR Ticket file is stored on the machine that runs the Data Integration Service. When the MapR cluster is configured to enable a user to use Kerberos authentication and MapR Ticket authentication, generate a MapR ticketfile for the user for each authentication mode. Save one ticketfile in /tmp. Save the other ticketfile in any directory on the Data Integration Service machine, and provide the location as the value for this property. For example, for a user id 1234, save a MapR ticketfile named like maprticket_1234 in /tmp, and save another MapR ticketfile named like maprticket_1234 in the MAPR_TICKETFILE_LOCATION. Note: The ticketfiles can have the same or different names. You must generate the MapR ticketfiles separately and save one to the MAPR_TICKETFILE_LOCATION. |
Changes take effect when you restart the Data Integration Service.
Configure the Analyst Service
If you use the Analyst tool to profile data in Hive data objects, configure properties on the Analyst Service to enable communication between the Analyst tool and the cluster, including testing of the Hive connection.
In the Administrator tool Domain Navigator, select the Analyst Service to configure, then select the Processes tab.
In the Advanced Properties area, define the following property value:
Property | Value |
|---|
ExecutionContextOptions.JVMOption1 | -Dmapr.library.flatclass |
In the Environment Variables area, configure the following property to define the Kerberos authentication protocol:
Property | Value |
|---|
JAVA_OPTS | -Dhadoop.login=hybrid -Dhttps.protocols=TLSv1.2 |
MAPR_HOME | Hadoop distribution directory location on the machine that runs the Data Integration Service. For example, <Informatica installation directory>/services/shared/hadoop/mapr_5.2.0 |
MAPR_TICKETFILE_LOCATION | Directory where the MapR Ticket file is stored on the machine that runs the Analyst Service. For example, /export/home/username1/Keytabs_and_krb5conf/Tickets/project1/maprticket_30103 |
LD_LIBRARY_PATH | The location of Hadoop libraries. For example, <Informatica installation directory>/java/jre/lib:<Informatica installation directory>/services/shared/bin:<Informatica installation directory>/server/bin:<Informatica installation directory>/services/shared/hadoop/<MapR location>/lib/native/Linux-amd64-64 |
Changes take effect when you restart the Analyst Service.
Test the Hive Connection
After you configure users for MapR Ticket or Kerberos authentication on MapR clusters, you can test the Hive connection.
To test the Hive connection, or perform a metadata fetch task, use the following format for the connection string if the cluster is Kerberos-enabled:
jdbc:hive2://<hostname>:10000/default;principal=<SPN>
For example,
jdbc:hive2://myServer2:10000/default;principal=mapr/myServer2@clustername
Note: When the mapping performs a metadata fetch of a complex file object, the user whose maprticket is present at %TEMP% on the Windows machine must have read permission on the HDFS directory to list the files inside it and perform the import action. The metadata fetch operation ignores privileges of the user who is listed in the HDFS connection definition.