Login
      Contents x
      Create and manage account
        • Print
        • PDF
        Contents

        Create and manage account

          • Print
          • PDF
          Article Summary

          Available in VPC

          This guide explains how to create and manage a Data Forest account and app.

          Create account

          The following describes how to create a Data Forest account.

          1. Connect to the NAVER Cloud Platform console.
          2. Click VPC from the Platform menu to switch to the VPC environment.
          3. Click the Services > Big Data & Analytics > Data Forest menus, in that order.
          4. Click the Accounts > [Create account] buttons.
          5. Enter the account name and account password.
            • Account name: enter the account name required when submitting the app. (A combination of English letters and numbers between 2 and 16 characters can be used. The account name must be a unique value within the cluster. Click the [Check for duplicates] button to check if there's a duplicate.)
            • Account password: enter the password to be used when logging in with the account. (It must be between 8 and 20 characters, and contain at least 1 English lower or uppercase letter, special character, and number.)
          6. Click the [Create] button.
          7. Check the account list to see if the account has been created.
            • It takes about 2 to 3 minutes to create an account.
            • Once the account has been created successfully, the account status changes to Running.
          8. Check if the account status is Running.
            df-account_03_vpc_ko
          Note

          In Data Forest, only 1 account can be created and used per user.

          Manage Account

          Check cluster access information

          The following describes how to check the access information for each application type in a cluster.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest menu, in that order.
          2. Click the Data Forest > Apps menu on the left.
          3. After selecting the created app, click Quick links > [View details of access information] in the app details.
          4. Check the access information for each application type in the cluster.
            df-account_13_vpc_ko

          Download keytab

          A keytab file is required if you want to connect to a cluster from an account. The following describes how to download the keytab file.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
          2. Select an account, and then click Cluster access information > Download Kerberos keytab.
          3. When the download window appears, click the [Download] button.
            df-account_05_vpc_ko

          Change HDFS quota

          You can change the number and capacity of files for each HDFS according to the namespace of the cluster used by the account.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
          2. Select the account whose HDFS Quota you want to change and click Change account settings > Change HDFS Quota.
          3. When the Change HDFS Quota window appears, change the information and click the [Change] button.
            df-account_06_vpc_ko
            • Namespace: select the namespace.
            • Number of files after change: you can select it to be between 1 million to 5 million, in units of 1 million (default: 1 million).
            • File capacity after change: you can select it to be between 200 TB to 500 TB, in units of 100 TB (default: 200 TB).

          Reset Kerberos keytab

          You can reset the Kerberos keytab if you have lost the downloaded keytab or need to change it.

          The following describes how to reset Kerberos keytab.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
          2. Select the account to change the keytab for, and then click Change account settings > Reset Kerberos keytab.
          3. When the Kerberos keytab reset window appears, click the [Reset] button after checking the information.
          Caution

          Please take caution since all applications and batch jobs using the existing keytab will fail if you reset the Kerberos keytab.

          Reset account password

          You can change the password if you have lost the account password or need to change it.
          The following describes how to reset your account password.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
          2. Select the account to reset the account password for, and then click Change account settings > Reset account password.
          3. When the Change/reset account password window appears, enter the new password and click the [Change] button.

          Delete account

          You can delete accounts that are not in use. The following describes how to delete an account.

          1. From the NAVER Cloud Platform console, click the Services > Big Data & Analytics > Data Forest > Accounts menu, in that order.
          2. Select the account to delete, and then click the [Delete] button.
          3. Enter the name of the account to delete in the account deletion window, and then click the [Delete] button.
          Caution
          • The account can't be deleted if there are existing apps on the account. Delete the apps before deleting the account.
          • Take caution that all data and files saved in the HDFS of the account will be deleted once you delete the account and they can't be recovered.

          Authenticate account

          There are two methods for user authentication in Data Forest. The following describes the method of using account name and password, and the method of using Kerberos principal and keytab.

          Use account name and password

          Web UI - SSO

          Data Forest uses the kr.df.naverncp.com domain. Due to the maintenance of login information through cookie-based authentication, users are not required to perform separate login procedures when accessing the same domain. If you have logged in to koya-nn1.kr.df.naverncp.com, you can also access rm1.kr.df.naverncp.com directly. The SSO works based on HTTP cookies, so SSO is not applicable if the domain is different.

          The following describes how to log in on the web UI.

          1. Access the web server that supports web SSO.
          2. When the login window appears, enter the account name and password you specified when creating Data Forest in the Username and Password fields, and then click the [LOGIN] button.
            df-auth_01_vpc_ko
          Note

          If the account and password do not match, then a pop-up window requesting that you enter the ID and password will appear. Don't enter information in the pop-up window. Click the [Cancel] button, and try logging in again in the previous login UI.
          df-auth_02_vpc_ko

          The authentication process uses a session cookie. The login session is maintained up to 10 hours. If you haven't closed the browser, then it would request you to log in again after 10 hours. There's no separate logout feature. You can log out by closing down the browser completely or deleting the cookie. (Delete the cookies hadoop.auth and hadoop-jwt for the kr.df.naverncp.com domain.)

          The following describes how to log out on the web UI.

          1. If you are using the Chrome browser, click the [More tools] > [Developer tools] button.
            df-auth_04_vpc_ko
          2. Go to the [Application] tab, and then click [Storage] > [Cookies].
          3. Click the cookies in the kr.df.naverncp.com domain.
            df-auth_05_vpc_ko
          4. Right-click hadoop.auth and hadoop-jwt, and then click [Delete]. The cookies will be deleted.
            df-auth_06_vpc_ko

          HTTP API - Basic

          Use the -u option to specify username:password in the HTTP API that uses the basic authentication.

          $ curl -s -u example  "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY" | python -m json.tool
Enter host password for user 'example':
{
    "Path": "/user/example"
}

          Alternatively, you can give it the Authorization: Basic $ENCODED_STRING header to authenticate without the need for the -u option. ENCODED_STRING is the encoded value of username:password in the Base64 format.

           curl -s -H "Authorization: Basic ZXhhbXBsZTohQFF3ZXJ0MTI=" "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY" | python -m json.tool
{
    "Path": "/user/example"
}

          Use Kerberos principal and keytab

          Kerberos principal indicates a unique identity in a Kerberos system. The keytab file has the encrypted key to be used in the symmetric key algorithm that corresponds to Kerberos principal, and acts as a password. Kerberos authentication requires additional configuration for the host you are going to use. Also, the configuration methods differ by operating system.

          Caution

          The Kerberos keytab file should be managed so it is not accessible by people other than the personnel in charge. If the Kerberos keytab file is leaked, then a third party with the file can use the principal permission specified in the keytab. Take caution not to upload keytab files to a public server or private source storage where multiple people have access.

          Authenticate keytab and check details

          You can use the kinit command to authenticate uploaded keys.

          Note

          For more information about how to upload keys to HDFS, see Using Dev app > Kerberos authentication.

          CentOS7

          $ kinit example -kt df.example.keytab
$ klist -5
Ticket cache: FILE:/tmp/krb5cc_p46655
Default principal: example@KR.DF.NAVERNCP.COM

Valid starting       Expires              Service principal
04/05/2021 18:02:22  04/06/2021 18:02:22  krbtgt/KR.DF.NAVERNCP.COM@KR.DF.NAVERNCP.COM
        renew until 04/12/2021 18:02:22

          Use the klist command to view the keytab file's content.

          $ klist -kte df.example.keytab
Keytab name: FILE:df.example.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (aes256-cts-hmac-sha1-96)
   4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (aes128-cts-hmac-sha1-96)
   4 12/28/2020 11:13:57 example@KR.DF.NAVERNCP.COM (des3-cbc-sha1)

          macOS

          $ kinit --keytab=df.example.keytab example
$ klist -5
Credentials cache: API:B94B9BE6-0510-4621-B6B9-E48F30488DAC
        Principal: example@KR.DF.NAVERNCP.COM

  Issued                Expires               Principal
Apr  5 18:11:06 2021  Apr  6 18:11:06 2021  krbtgt/KR.DF.NAVERNCP.COM@KR.DF.NAVERNCP.COM
$ ktutil --keytab=df.example.keytab list
df.example.keytab:

Vno  Type                     Principal                   Aliases
  4  aes256-cts-hmac-sha1-96  example@KR.DF.NAVERNCP.COM
  4  aes128-cts-hmac-sha1-96  example@KR.DF.NAVERNCP.COM
  4  des3-cbc-sha1            example@KR.DF.NAVERNCP.COM

          HTTP API - SPNEGO

          HTTP API uses SPNEGO. HTTP API requires Kerberos authentication first before calling it. You can use SPNEGO easily with cURL after the Kerberos authentication.

          Caution

          wget does not support SPNEGO.

          To run kinit first before using the -u : --negotiate option, see Authenticate keytab and check details.

          $ kinit example -kt df.example.keytab
$ curl -u : --negotiate "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETHOMEDIRECTORY" | python -m json.tool
{
    "Path": "/user/example"
}

          Alternatively, you can give it the Authorization: Negotiate $ENCODED_STRING header to authenticate without the need for the -u option. ENCODED_STRING is the encoded value of gssapi-data in the Base64 format.

           curl -s -H "Authorization: Negotiate ZXhhbXBsZTohQFF3ZXJ0MTI=" "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETHOMEDIRECTORY" | python -m json.tool
{
    "Path": "/user/example"
}
          Note

          cURL may not support SPNEGO depending on the build version. Check the build version and make sure GSS-Negotiate and SPNEGO are included in Features.

          $ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

          Check HTTP API authentication method

          If it is difficult to determine which authentication method to use from just looking at the endpoint, then you can try calling a request without the authentication information. You can check the authentication method according to the header value of WWW-Authenticate.

          WWW-AuthenticateAuthentication method
          BasicBasic Auth
          NegotiateSPENGO

          Basic Auth

          $ curl -i "https://sso.kr.df.naverncp.com/gateway/koya-auth-basic/webhdfs/v1?op=GETHOMEDIRECTORY"
HTTP/1.1 401 Unauthorized
Date: Mon, 05 Apr 2021 09:39:53 GMT
Server: Jetty(9.4.12.v20180830)
WWW-Authenticate: BASIC realm="application"
Content-Length: 0
Set-Cookie: ROUTEID=.1; path=/

          SPENGO

          $ curl -i "https://sso.kr.df.naverncp.com/gateway/koya-auth-kerb/webhdfs/v1/user/example?op=GETFILESTATUS"
HTTP/1.1 401 Authentication required
Date: Mon, 05 Apr 2021 09:39:04 GMT
Server: Jetty(9.4.12.v20180830)
WWW-Authenticate: Negotiate
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 391
Set-Cookie: hadoop.auth=; Path=gateway/koya-auth-kerb; Domain=sso.kr.df.naverncp.com; Secure; HttpOnly
Set-Cookie: ROUTEID=.2; path=/
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout