- Print
- PDF
Create and manage account
- Print
- PDF
Available in VPC
This guide explains how to create and manage a Data Forest account and app.
Create account
The following describes how to create a Data Forest account.
- Connect to the NAVER Cloud Platform console.
- Click VPC from the Platform menu to switch to the VPC environment.
- Click the Services > Big Data & Analytics > Data Forest menus, in that order.
- Click the Accounts > [Create account] buttons.
- Enter the account name and account password.
- Account name: enter the account name required when submitting the app. (A combination of English letters and numbers between 2 and 16 characters can be used. The account name must be a unique value within the cluster. Click the [Check for duplicates] button to check if there's a duplicate.)
- Account password: enter the password to be used when logging in with the account. (It must be between 8 and 20 characters, and contain at least 1 English lower or uppercase letter, special character, and number.)
- Click the [Create] button.
- Check the account list to see if the account has been created.
- It takes about 2 to 3 minutes to create an account.
- Once the account has been created successfully, the account status changes to Running.
- Check if the account status is Running.
In Data Forest, only 1 account can be created and used per user.
Manage Account
Check cluster access information
The following describes how to check the access information for each application type in a cluster.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest menu, in that order.
- Click the Data Forest > Apps menu on the left.
- After selecting the created app, click Quick links > [View details of access information] in the app details.
- Check the access information for each application type in the cluster.
Download keytab
A keytab file is required if you want to connect to a cluster from an account. The following describes how to download the keytab file.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
- Select an account, and then click Cluster access information > Download Kerberos keytab.
- When the download window appears, click the [Download] button.
Change HDFS quota
You can change the number and capacity of files for each HDFS according to the namespace of the cluster used by the account.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
- Select the account whose HDFS Quota you want to change and click Change account settings > Change HDFS Quota.
- When the Change HDFS Quota window appears, change the information and click the [Change] button.
- Namespace: select the namespace.
- Number of files after change: you can select it to be between 1 million to 5 million, in units of 1 million (default: 1 million).
- File capacity after change: you can select it to be between 200 TB to 500 TB, in units of 100 TB (default: 200 TB).
Reset Kerberos keytab
You can reset the Kerberos keytab if you have lost the downloaded keytab or need to change it.
The following describes how to reset Kerberos keytab.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
- Select the account to change the keytab for, and then click Change account settings > Reset Kerberos keytab.
- When the Kerberos keytab reset window appears, click the [Reset] button after checking the information.
Please take caution since all applications and batch jobs using the existing keytab will fail if you reset the Kerberos keytab.
Reset account password
You can change the password if you have lost the account password or need to change it.
The following describes how to reset your account password.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
- Select the account to reset the account password for, and then click Change account settings > Reset account password.
- When the Change/reset account password window appears, enter the new password and click the [Change] button.
Delete account
You can delete accounts that are not in use. The following describes how to delete an account.
- From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
- Select the account to delete, and then click the [Delete] button.
- Enter the name of the account to delete in the account deletion window, and then click the [Delete] button.
- The account can't be deleted if there are existing apps on the account. Delete the apps before deleting the account.
- Take caution that all data and files saved in the HDFS of the account will be deleted once you delete the account and they can't be recovered.
Authenticate account
There are two methods for user authentication in Data Forest. The following describes the method of using account name and password, and the method of using Kerberos principal and keytab.
Use account name and password
Web UI - SSO
Data Forest uses the kr.df.naverncp.com
domain. Due to the maintenance of login information through cookie-based authentication, users are not required to perform separate login procedures when accessing the same domain. If you have logged in to koya-nn1.kr.df.naverncp.com, you can also access rm1.kr.df.naverncp.com directly. The SSO works based on HTTP cookies, so SSO is not applicable if the domain is different.
The following describes how to log in on the web UI.
- Access the web server that supports web SSO.
- When the login window appears, enter the account name and password you specified when creating Data Forest in the Username and Password fields, and then click the [LOGIN] button.
If the account and password do not match, then a pop-up window requesting that you enter the ID and password will appear. Don't enter information in the pop-up window. Click the [Cancel] button, and try logging in again in the previous login UI.
The authentication process uses a session cookie. The login session is maintained up to 10 hours. If you haven't closed the browser, then it would request you to log in again after 10 hours. There's no separate logout feature. You can log out by closing down the browser completely or deleting the cookie. (Delete the cookies hadoop.auth and hadoop-jwt for the kr.df.naverncp.com domain.)
The following describes how to log out on the web UI.
- If you are using the Chrome browser, click the [More tools] > [Developer tools] button.
- Go to the [Application] tab, and then click [Storage] > [Cookies].
- Click the cookies in the kr.df.naverncp.com domain.
- Right-click hadoop.auth and hadoop-jwt, and then click [Delete]. The cookies will be deleted.
HTTP API - Basic
Use the -u
option to specify username:password
in the HTTP API that uses the basic authentication.
$ curl -s -u example "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY" | python -m json.tool
Enter host password for user 'example':
{
"Path": "/user/example"
}
Alternatively, you can give it the Authorization: Basic $ENCODED_STRING
header to authenticate without the need for the -u
option. ENCODED_STRING
is the encoded value of username:password
in the Base64 format.
curl -s -H "Authorization: Basic ZXhhbXBsZTohQFF3ZXJ0MTI=" "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY" | python -m json.tool
{
"Path": "/user/example"
}
Use Kerberos principal and keytab
Kerberos principal indicates a unique identity in a Kerberos system. The keytab file has the encrypted key to be used in the symmetric key algorithm that corresponds to Kerberos principal, and acts as a password. Kerberos authentication requires additional configuration for the host you are going to use. Also, the configuration methods differ by operating system.
The Kerberos keytab file should be managed so it is not accessible by people other than the personnel in charge. If the Kerberos keytab file is leaked, then a third party with the file can use the principal permission specified in the keytab. Take caution not to upload keytab files to a public server or private source storage where multiple people have access.
Authenticate keytab and check details
You can use the kinit
command to authenticate uploaded keys.
For more information about how to upload keys to HDFS, see Using Dev app > Kerberos authentication.
CentOS7
$ kinit example -kt df.example.keytab
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_p46655
Default principal: example@KR.DF.NAVERNCP.COM
Valid starting Expires Service principal
04/05/2021 18:02:22 04/06/2021 18:02:22 krbtgt/KR.DF.NAVERNCP.COM@KR.DF.NAVERNCP.COM
renew until 04/12/2021 18:02:22
Use the klist
command to view the keytab file's content.
$ klist -kte df.example.keytab
Keytab name: FILE:df.example.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (aes256-cts-hmac-sha1-96)
4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (aes128-cts-hmac-sha1-96)
4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (des3-cbc-sha1)
macOS
$ kinit --keytab=df.example.keytab example
$ klist -5
Credentials cache: API:B94B9BE6-0510-4621-B6B9-E48F30488DAC
Principal: example@KR.DF.NAVERNCP.COM
Issued Expires Principal
Apr 5 18:11:06 2021 Apr 6 18:11:06 2021 krbtgt/KR.DF.NAVERNCP.COM@KR.DF.NAVERNCP.COM
$ ktutil --keytab=df.example.keytab list
df.example.keytab:
Vno Type Principal Aliases
4 aes256-cts-hmac-sha1-96 example@KR.DF.NAVERNCP.COM
4 aes128-cts-hmac-sha1-96 example@KR.DF.NAVERNCP.COM
4 des3-cbc-sha1 example@KR.DF.NAVERNCP.COM
HTTP API - SPNEGO
HTTP API uses SPNEGO. HTTP API requires Kerberos authentication first before calling it. You can use SPNEGO easily with cURL after the Kerberos authentication.
wget
does not support SPNEGO.
To run kinit
first before using the -u : --negotiate
option, see Authenticate keytab and check details.
$ kinit example -kt df.example.keytab
$ curl -u : --negotiate "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETHOMEDIRECTORY" | python -m json.tool
{
"Path": "/user/example"
}
Alternatively, you can give it the Authorization: Negotiate $ENCODED_STRING
header to authenticate without the need for the -u
option. ENCODED_STRING
is the encoded value of gssapi-data
in the Base64 format.
curl -s -H "Authorization: Negotiate ZXhhbXBsZTohQFF3ZXJ0MTI=" "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETHOMEDIRECTORY" | python -m json.tool
{
"Path": "/user/example"
}
cURL may not support SPNEGO depending on the build version. Check the build version and make sure GSS-Negotiate and SPNEGO are included in Features.
$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
Check HTTP API authentication method
If it is difficult to determine which authentication method to use from just looking at the endpoint, then you can try calling a request without the authentication information. You can check the authentication method according to the header value of WWW-Authenticate
.
WWW-Authenticate | Authentication method |
---|---|
Basic | Basic Auth |
Negotiate | SPENGO |
Basic Auth
$ curl -i "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY"
HTTP/1.1 401 Unauthorized
Date: Mon, 05 Apr 2021 09:39:53 GMT
Server: Jetty(9.4.12.v20180830)
WWW-Authenticate: BASIC realm="application"
Content-Length: 0
Set-Cookie: ROUTEID=.1; path=/
SPENGO
$ curl -i "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETFILESTATUS"
HTTP/1.1 401 Authentication required
Date: Mon, 05 Apr 2021 09:39:04 GMT
Server: Jetty(9.4.12.v20180830)
WWW-Authenticate: Negotiate
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 391
Set-Cookie: hadoop.auth=; Path=gateway/koya-auth-kerb; Domain=sso.kr.df.naverncp.com; Secure; HttpOnly
Set-Cookie: ROUTEID=.2; path=/