Describes the .customSecure file and how HPE Ezmeral Data Fabric 6.x handles custom security
settings.
In HPE Ezmeral Data Fabric 6.x, the configure.sh script detects that a cluster is in one of three security states:
| Secure | The cluster is configured with the default HPE Ezmeral Data Fabric security settings. |
| Unsecure | No security settings are configured for the cluster. |
| Custom secure | The cluster has a mixture of HPE Ezmeral Data Fabric security settings and custom settings. |
Understanding how configure.sh handles custom security settings is important
when you upgrade a cluster, add services, add nodes, or change security settings.
Any change to the default HPE Ezmeral
Data Fabric configuration for authentication, authorization, or encryption represents
a "custom security" change. Users who make such changes are encouraged to create a
.customSecure file to ensure that configure.sh does not
remove these changes. Custom security changes include any change to the keystore or
truststore passwords or the number of keys in those files or the names of the keys.
/opt/mapr/conf/mapr-clusters.conf
file. For
example:<clustername1> secure=true <CLDB> <CLDB> … <CLDB>For more information, see mapr-clusters.conf.
.customSecure
file:/opt/mapr/conf/.customSecureconfigure.sh treats the cluster as custom secure.configure.sh does not change any of the settings, you can create a
.customSecure file. Create the file in the following location on every
node:/opt/mapr/conf/.customSecureThe .customSecure file does not contain any information. The presence of
the file tells configure.sh that the cluster has security settings that
must not be changed by configure.sh.
Typically, you create the .customSecure file manually. However, in some
cases, configure.sh creates or removes the .customSecure
file for you. For example, if configure.sh detects that it is being run
after an upgrade from a MapR 5.x secure cluster, it creates the
.customSecure file automatically. If you use the
-forceSecurityDefaults option and -secure or
-unsecure with configure.sh, the script removes the
.customSecure file because you are forcing the removal of custom security
settings.
.customSecure file is
present), and you want to change to the default HPE Ezmeral Data Fabric secure or non-secure settings, you can use
the -forceSecurityDefaults option of configure.sh to make
the change. Note these considerations:-forceSecurityDefaults option removes the
.customSecure file. You must specify the -secure or
-unsecure option with -forceSecurityDefaults.
Otherwise, the command will have no effect.-forceSecurityDefaults option might not remove all of your custom
settings. Some manual editing might be necessary to return the cluster to a usable
state.configure.sh options that are required for security. And you need to
perform any steps required to add security. For example, see Enabling Wire-level Security.Using the HPE Ezmeral Data Fabric Installer or HPE Ezmeral Data Fabric Installer Stanzas is not supported on clusters with custom security or customized configurations.
/opt/mapr/conf/.customSecure file on the added
node:/usr/bin/touch /opt/mapr/conf/.customSecureIf you add a new service (ecosystem component) to a secure or custom-secure cluster,
configure.sh configures the service for HPE Ezmeral Data Fabric security automatically. If the cluster is
custom secure, you need to change the security settings for the service to be compatible
with the current cluster settings and restart the service. Any subsequent use of
configure.sh -R will leave the customization in place.