This section describes how to install Enterprise Steam on Ubuntu.
Requirements for Enterprise Steam with Ubuntu¶
- Ubuntu 12.04 or greater
- Enterprise Steam .deb file. This is available on the Steam download page.
- Chrome version 50+ browser with an Internet connection. Note that Chrome is currently the only supported browser, and the minimum version is 50.
- H2O driver for your version of Hadoop. This is available from the H2O Download page. Click the Install on Hadoop tab, and select the correct version for your environment.
- HAProxy 1.5 or greater. For Ubuntu, this is available from haproxy.debian.net.
- Sparkling Water package (available from https://www.h2o.ai/download/#sparkling-water). Note that the minimum supported verions for enabling Sparking Water in Enterprise Steam are:
- Enterprise Steam R Package (available from the Enterprise Steam Download page on the STEAM API tab)
- Enterprise Steam Python Package (available from the Enteprise Steam Download page on the STEAM API tab)
- PEM certificate file
- PEM privatekey file
- Your own Enterprise Steam Principal Keytab file, if Keberos is enabled.
Install HAProxy for Ubuntu¶
This section describes how to install HAProxy 1.5. You can skip this section if your environment already has HAProxy 1.5.or greater.
In your browser, go to https://haproxy.debian.net.
Select the system and version that you are running, then select an HAProxy version of 1.5-stable or greater.
Open a Terminal window and run the commands that are listed (using
sudoif required). The example below shows the commands to use with Ubuntu version Trusty (14.04 LTS) and HAProxy version 1.7-stable.
Install Enterprise Steam on Ubuntu¶
- On your local machine, download the Enterprise Steam .deb from the Steam download page.
- Review and accepts the terms of the EULA.
- Open a terminal window and ssh to your Hadoop edge node.
- Copy the Enterprise Steam .deb file to your edge node.
scp <user>@<hadoop_edge_node>:./esteam_1.0.0_amd64.deb .
- Install the Enterprise Steam .deb file.
sudo dpkg -i esteam_1.0.0_amd64.deb
- Set the administrator username and password.
sudo service steam set-admin username: administrator password: ***********
- The Enterprise Steam installation requires the following updates to the Hadoop coresite.xml. These changes provide the hosts that proxyuser can be a superuser on. These changes also provide for the case where superuser is someone who can run H2O on behalf of another user. Note that this step is typically performed by a Hadoop engineer.
<property> <name>hadoop.proxyuser.steam.hosts</name> <value>host1,host2</value> </property> <property> <name>hadoop.proxyuser.steam.groups</name> <value>group1,group2</value> </property> <property> <name>hadoop.proxyuser.steam.users</name> <value>user1,user2</value> </property>
host1,host2are the hostnames of the machines. Separate multiple hostnames with commas.
group1,group2are the group IDs. Separate multiple group IDs with commas.
user1,user2are the user IDs. Separate multiple user IDs with commas.
Note: In most cases, you will set either the proxyuser groups or proxyuser users. You are not required to set both.
Additional information about these changes is available here: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html.
- (Optional) Install the certificate and private key for the Enterprise Steam server by adding these in /etc/steam/private_key.pem, /etc/steam/cert.pem.
- Optionally make changes in the /etc/steam/steam.yaml file. Below is a sample steam.yaml file showing the available configuration options.
# Working directory points to directory for Steam assets STEAM_WORKING_DIRECTORY: /opt/h2oai/steam/var/master # Directory of Steam and Hadoop temporary files. Defaults to your OS's temp directory. # STEAM_TMP_DIR: /tmp # Certificate and private key PEM files used by both the Steam process and Steam's haproxy process. # If not present a self-signed certificate will be autogenerated by Steam. STEAM_WEB_TLS_CERT_PATH: /etc/steam/cert.pem STEAM_WEB_TLS_PRIVATE_KEY_PATH: /etc/steam/private_key.pem # Choose minimal crypto protocol: ssl3, tls10, tls11, tls12 STEAM_WEB_MIN_CRYPTO_PROTOCOL: tls11 # Steam itself uses this port. STEAM_HTTPS_PORT: 9000 # Steam will save application logs into this directory STEAM_LOG_DIR: /var/log/steam # Unix permission of the log files STEAM_LOG_PERMISSIONS: 0644 # Uncomment the following security related values to enable kerberized/maprticket access to hadoop # STEAM_MAPR_TICKETS_ENABLED: FALSE # STEAM_MAPR_TICKET_DIR: /opt/h2oai/steam/mapr # STEAM_MAPR_SERVICE_NAME: steam # # STEAM_KERBEROS_ENABLED: FALSE # STEAM_KERBEROS_PRINCIPAL: pcpl@REALM # STEAM_KERBEROS_KEYTAB_PATH: /home # These configuration options modify Yarn/Hadoop implementations # Coerce flags change the casing of usernames in regards to impersonation for case sensitive implementations. # STEAM_COERCE_USERNAMES_LOWER: FALSE # Steam log level can be set to (0 - Panic level, 1 - Fatal level, 2 - Error level, 3 - Warning level, 4 - Info level, 5 - Debug level) STEAM_LOG_LEVEL: 4 # The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. # Value is in Seconds, the default value is equivalent to 20 years. # Set to empty to disable. SERVER_STRICT_TRANSPORT: max-age=631138519 # The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts) SERVER_X_XSS_PROTECTION: 0 # Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. SERVER_CONTENT_SECURITY_POLICY: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; # You might need to set it to true if Steam is being too strict about your SAML response SAML_INSECURE_ALLOWED: FALSE # Set to true to disable the build-in admin user from logging-in SAML_DISABLE_ADMIN: FALSE # Set how long to wait before timing out idle web session STEAM_WEB_UI_TIMEOUT_MIN: 480 # Used to turn off embedded Jupyterhub STEAM_SW_DISABLE_JUPYTER: FALSE
- (Optional) If your environment uses Kerberos authentication, then uncomment the Kerberos related values in /etc/steam/steam.yaml. Be sure to also specify the correct Kerberos principal and path to the keytab file. Note that you may also be required to add another proxyuser configuration. Refer to https://hadoop.apache.org/docs/current/hadoop-kms/index.html#KMS_Proxyuser_Configuration for more information.
At this point, you are ready to Start Enterprise Steam.