In this section, we list the specific hardware, memory, core, and network requirements, and the software prerequisites that need to be met and completed before installation of the CDAP components.
Complete the requirements and instructions below prior to installing the CDAP components.
CDAP and Firewalls
In general, your cluster configuration cannot have a firewall between the cluster and CDAP. Instead, if a firewall is used, the cluster and certain CDAP components need to be together behind the firewall. These are the ports which can be opened to provide external access:
Listen Ports for External Access
Description | Governing Configuration | Default Value in Packages/MapR | Default Value in Ambari/Cloudera Manager |
|---|---|---|---|
CDAP Router listen port (HTTP RESTful) |
| 11015 | 11015 |
CDAP Router listen port (HTTP RESTful) (SSL) |
| 10443 | 10443 |
CDAP UI listen port |
| 11011 | 11011 |
CDAP UI listen port (SSL) |
| 9443 | 9443 |
CDAP Auth Server listen port |
| 10009 | 10009 |
CDAP Auth Server listen port (SSL) |
| 10010 | 10010 |
The exact configuration and ports required will vary depending on your use of firewalls and your specific configuration. This diagram shows a likely scenario that you could use:
...
In this diagram, we show the CDAP Router "traversing" the firewall. Note that the CDAP UI can be completely outside of the firewall, as it needs to talk to clients, the CDAP Router, and the CDAP Auth Server. These two services (Router and Auth Server) need to be accessible from the outside to users, but also must be able to connect to nodes within the cluster. They need unrestricted client access to the cluster with the ability to establish connections to cluster nodes, on any port that a container may choose to open.
Taking this same picture, if the firewall were moved to the left of the CDAP Router/Auth Server, then two ports (router.bind.port, 11015 and security.auth.server.bind.port, 10009) would need to be opened to allow access by clients to the hosts running the CDAP Router/Auth Server. There could be another firewall between the CDAP Router/Auth Server and the cluster, as long as it provides client access from the CDAP Auth Server to the ZooKeeper nodes. The same is true for the CDAP Router (access to the Zookeeper nodes), except it also needs unrestricted client access, so it usually doesn't make sense to firewall the CDAP Router when essentially you're allowing all traffic through.
As your configuration can vary from these descriptions, this information is intended to guide you in understanding what the different components require in order to successfully run CDAP rather than provide strict requirements.