(Glue-2411) Hadoop Prerequisites
High-level summary of necessary steps (more details can be found in the following documentation):
SAP Basis/Infrastructure tasks:
SAP Basis team:
Create directories on each SAP application server:
/sapmnt/<SID>/global/security/dvd_conn/hive
/sapmnt/<SID>/global/security/dvd_conn/impala
Upload the latest JDBC drivers for Hive and Impala to respective directories on each SAP application server:
for Hive:
/sapmnt/<SID>/global/security/dvd_conn/hive
for Impala:
/sapmnt/<SID>/global/security/dvd_conn/impala
Upload files provided by the Hadoop team to directory
/usr/sap/<SID>/global/security/dvd_conn
:<SID>.keytab
krb5.conf
jssecacerts
Upload
.pem
certificates for HttpFS/WebHDFS to STRUST.Enable HTTPS service in ICM.
Create RFC destination for communication with HttpFS/WebHDFS service.
Set parameter
ict/disable_cookie_urlencoding
(to 1 or 2 dependent on SAP kernel release).Deploy SNP Java Connector (SM-Latest) Java Connector Setup.
Create SNP_JAVA_CONN RFC:
Connection type: TCP/IP Connection
Activation type: Registered Server Program
Fill in the Program ID for example: SNP_JAVA_CONN
Create Technical SAP user for ABAP->JCO RFC Communication:
In transport, you are provided with a template role with name
/DVD/JCORFC
(if you will use this role, please do not forget to generate the role in transaction PFCG)User should be created with type System and should be assigned with role
/DVD/JCORFC
Grant access for external program SNP_JAVA_CONN to SAP gateway:
Check SMGW > Goto > Expert Functions > External Security > Maintenance of ACL files if external programs are allowed (=* or ProgramID)
Networking team:
Enable correct resolution of hostnames of Hadoop nodes and Kerberos KDC from the SAP system.
Enable outbound communication from the SAP system to Hadoop services:
Port | Service |
---|---|
10000 | Hive |
14000 | HttpFS |
21050 | Impala |
50070 | WebHDFS (may be required if HttpFS is not available) |
88 | Kerberos Key Distribution Center (KDC) |
Hadoop team:
Create Kerberos principal for each SAP system (
<sid>hdp
) and provide its keytab file to the SAP Basis team (further referred to as Hadoop technical user).Provide
krb5.conf
file to the SAP Basis team.Provide Java truststore (
jssecacerts
) from the Hadoop environment to the SAP Basis team.Provide
.pem
certificate of HttpFS/WebHDFS service to SAP Basis team.Create a home directory for each technical <SID>hdp user with appropriate ownership/permissions (e.g.
/user/<sid>hdp
)”This can be tested by:
curl --negotiate -u : -k "https://<HttpFS_host_FQDN>:14000/webhdfs/v1/?op=GETHOMEDIRECTORY"
.
Create a Hive database for each SAP system (
sap<sid>
).Create Sentry/Ranger policies granting full privileges to
<sid>hdp
user onsap<sid>
database and user's HDFS directory (e.g./user/<sid>hdp
).Test access of Hadoop technical user.