This section describes how to install Enterprise Steam on Red Hat Enterprise Linux.
Requirements for Enterprise Steam with RHEL¶
- RHEL 6.7 or greater. Note that HAProxy is already included with this version of Red Hat.
- Enterprise Steam .rpm file. This is available from the Steam download page.
- Chrome version 50+ browser with an Internet connection. Note that Chrome is currently the only supported browser, and the minimum version is 50.
- H2O driver for your version of Hadoop. This is available from the H2O Download page. Click the Install on Hadoop tab, and select the correct version for your environment.
- Sparkling Water package (available from https://www.h2o.ai/download/#sparkling-water). Note that the minimum supported verions for enabling Sparking Water in Enterprise Steam are:
- Enterprise Steam R Package (available from the Enterprise Steam Download page on the STEAM API tab)
- Enterprise Steam Python Package (available from the Enteprise Steam Download page on the STEAM API tab)
- PEM certificate file
- PEM privatekey file
- Your own Enterprise Steam Principal Keytab file, if Keberos is enabled.
Install HAProxy on RHEL¶
RHEL 6.7 or greater includes HAProxy. Run the following command if you have not already installed HAProxy. Note that SSL must be enabled before you run this command.
sudo yum install haproxy
Install Enterprise Steam on RHEL¶
- On your local machine, download the Enterprise Steam .rpm file from the Steam download page.
- Review and accept the terms of the EULA.
- Open a terminal window and ssh to your Hadoop edge node.
- Copy the Enterprise Steam .rpm file to your edge node.
scp <user>@<hadoop_edge_node>:./esteam_1.0.0_amd64.rpm .
- Install the Enterprise Steam .rpm file.
sudo rpm -i <esteam_rpm_package>
Set the administrator username and password.
On RHEL 6:
sudo /etc/init.d/steam set-admin
On RHEL 7:
sudo su -s /bin/bash -c "/opt/h2oai/steam/steam set admin" steam
The Enterprise Steam installation requires the following updates to the Hadoop coresite.xml. These changes provide the hosts that proxyuser can be a superuser on. These changes also provide for the case where superuser is someone who can run H2O on behalf of another user. Note that this step is typically performed by a Hadoop engineer.
<property> <name>hadoop.proxyuser.steam.hosts</name> <value>host1,host2</value> </property> <property> <name>hadoop.proxyuser.steam.groups</name> <value>group1,group2</value> </property> <property> <name>hadoop.proxyuser.steam.users</name> <value>user1,user2</value> </property>
host1,host2are the hostnames of the machines. Separate multiple hostnames with commas.
group1,group2are the group IDs. Separate multiple group IDs with commas.
user1,user2are the user IDs. Separate multiple user IDs with commas.
Note: In most cases, you will set either the proxyuser groups or proxyuser users. You are not required to set both.
Additional information about these changes is available here: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html.
- (Optional) Install the certificate and private key for the Enterprise Steam server by adding these in /etc/steam/private_key.pem, /etc/steam/cert.pem.
- Optionally make changes in the /etc/steam/steam.yaml file. Below is a sample steam.yaml file showing the available configuration options.
# Working directory points to directory for Steam assets STEAM_WORKING_DIRECTORY: /opt/h2oai/steam/var/master # Directory of Steam and Hadoop temporary files. Defaults to your OS's temp directory. # STEAM_TMP_DIR: /tmp # Certificate and private key PEM files used by both the Steam process and Steam's haproxy process. # If not present a self-signed certificate will be autogenerated by Steam. STEAM_WEB_TLS_CERT_PATH: /etc/steam/cert.pem STEAM_WEB_TLS_PRIVATE_KEY_PATH: /etc/steam/private_key.pem # Choose minimal crypto protocol: ssl3, tls10, tls11, tls12 STEAM_WEB_MIN_CRYPTO_PROTOCOL: tls11 # Steam itself uses this port. STEAM_HTTPS_PORT: 9000 # Steam's haproxy uses this port. This is NOT the system haproxy. # Steam starts and manages it's own haproxy process with it's own config file (which is autogenerated). # You can disable the system haproxy completely if you want to. STEAM_PROXY_HTTPS_PORT: 9999 # Steam will save application logs into this directory STEAM_LOG_DIR: /var/log/steam # Unix permission of the log files STEAM_LOG_PERMISSIONS: 0644 # Uncomment the following security related values to enable kerberized/maprticket access to hadoop # STEAM_MAPR_TICKETS_ENABLED: FALSE # STEAM_MAPR_TICKET_DIR: /opt/h2oai/steam/mapr # STEAM_MAPR_SERVICE_NAME: steam # # STEAM_KERBEROS_ENABLED: FALSE # STEAM_KERBEROS_PRINCIPAL: pcpl@REALM # STEAM_KERBEROS_KEYTAB_PATH: /home # These configuration options modify Yarn/Hadoop implementations # Coerce flags change the casing of usernames in regards to impersonation for case sensitive implementations. # STEAM_COERCE_USERNAMES_LOWER: FALSE # Steam log level can be set to (0 - Panic level, 1 - Fatal level, 2 - Error level, 3 - Warning level, 4 - Info level, 5 - Debug level) STEAM_LOG_LEVEL: 4 # The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. # Value is in Seconds, the default value is equivalent to 20 years. # Set to empty to disable. SERVER_STRICT_TRANSPORT: max-age=631138519 # The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts) SERVER_X_XSS_PROTECTION: 0 # Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. SERVER_CONTENT_SECURITY_POLICY: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; # You might need to set it to true if Steam is being too strict about your SAML response SAML_INSECURE_ALLOWED: FALSE # Set to true to disable the build-in admin user from logging-in SAML_DISABLE_ADMIN: FALSE # Set how long to wait before timing out idle web session STEAM_WEB_UI_TIMEOUT_MIN: 480 # Used to turn off embedded Jupyterhub STEAM_SW_DISABLE_JUPYTER: FALSE
- (Optional) If your environment uses Kerberos authentication, then uncomment the Kerberos related values in /etc/steam/steam.yaml. Be sure to also specify the correct Kerberos principal and path to the keytab file. Note that you may also be required to add another proxyuser configuration. Refer to https://hadoop.apache.org/docs/current/hadoop-kms/index.html#KMS_Proxyuser_Configuration for more information.
At this point, you are ready to Start Enterprise Steam.