Skip to content

Prerequisites

Audience: System Administrators

Content Summary: This page outlines the prerequisites for installing Enterprise Linux 7.

System Users

Service users need to be created on each node. The RPM installation scripts will create these users if they do not exist on the system when the RPM's are installed.

Web Service Nodes

The Immuta RPM installation will create an immuta group and user on the system. This step will be skipped if the user and group already exist.

Metadata Database Node

The Immuta Query Engine RPM installation will create a immutaqe group and user on the system. This step will be skipped if the user and group already exist.

Query Engine Node

The Immuta Query Engine RPM installation will create a immutaqe group and user on the system. This step will be skipped if the user and group already exist.

Database Replica Node

The Immuta Query Engine RPM installation will create a immutaqe group and user on the system. This step will be skipped if the user and group already exist.

Firewall Rules

The following describes the firewall rules that are required.

Metadata Database Node Firewall Rules

The Metadata Database needs to accept inbound traffic from the Web Service nodes. The table below lists required ports for inbound traffic:

Port Protocol Source
5432 TCP Web Service Nodes
5432 TCP Database replica nodes

The Metadata Database does not need to make any outbound connections, but ensure that all related and established traffic is allowed.

Query Engine Node Firewall Rules

The Query Engine needs to accept inbound traffic from the Web Service nodes and anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:

Port Protocol Source
5432 TCP Web Service Nodes or Load balancer, user workstations
5432 TCP Database replica nodes

The Query Engine needs to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:

Port Protocol Source Condition
443 TCP Web Service nodes or Load balancer TLS Configured
80 TCP Web Service nodes or Load balancer TLS Not Configured
5432 TCP Query Engine Replica nodes Query Engine Replica nodes are being used
* TCP Any data source that is needed for data sources exposed through Immuta Data source dependent

In addition to the stated rules, ensure that all related and established traffic is allowed.

Database Replica Node Firewall Rules

The Database Replica needs to accept inbound traffic from the Web Service nodes and anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:

Port Protocol Source
5432 TCP Load balancer

The Database Replica needs to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:

Port Protocol Source Condition
443 TCP Web Service nodes or Load balancer TLS Configured
80 TCP Web Service nodes or Load balancer TLS Not Configured
5432 TCP Database Replica nodes Database Replica nodes are being used
* TCP Any data source that is needed for data sources exposed through Immuta Data source dependent

In addition to the stated rules, ensure that all related and established traffic is allowed.

Database Replica Load Balancer Node Firewall Rules

The Database Replica Load Balancer needs to accept inbound traffic from anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:

Port Protocol Source
5432 TCP user workstations

The Database Replica Load Balancer needs to allow outbound traffic to all Database Replicas. The table below lists required ports for outbound traffic:

Port Protocol Source
5432 TCP Database Replica nodes

In addition to the stated rules, ensure that all related and established traffic is allowed.

Web Service Nodes Firewall Rules

When used without a load balancer, the Web Service nodes must accept traffic on the configured service port from wherever users will be accessing it from. The node also needs to accept traffic from the Query Engine and HDFS cluster (if used).

When using a load balancer in front of the Immuta Web Service nodes, they need only accept inbound traffic from the load balancer.

The table below lists required (if conditions are met) ports for inbound traffic:

Port Protocol Source Condition
443 TCP User workstations, Query Engine, HDFS (if used) or Load balancer TLS Configured
80 TCP User workstations, Query Engine, HDFS (if used) or Load balancer TLS Not Configured

The Web Service Nodes need to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:

Port Protocol Destination Condition
5432 TCP Metadata Database, Query Engine
* TCP Any data source that is needed for data sources exposed through Immuta Data source dependent

In addition to the stated rules, ensure that all related and established traffic is allowed.

TLS Assumptions

This guide assumes that you are using certificates issued by a certificate authority (CA). Using self-signed certificates is not recommended or supported in production. All certificates and keys referenced in this guide should be in PEM format. Private key files must not be encrypted. Instead, restrictive file permissions will be used to protect the keys from unwanted access.

It is also assumed that the CA certificate bundle configured for services in this section contains the CA certificates and is present in the same location on all nodes in the cluster. The system CA bundle (/etc/pki/tls/certs/ca-bundle.crt) can be used, or an alternate certificate bundle may be used.

To verify that your CA and TLS certificates are configured properly, you should run the command below. Note that openssl is required:

openssl verify -verbose -CAfile /path/to/ca.crt /path/to/immuta/cert.crt

If you do not have certificates issued by a trusted CA available, you can follow this guide to generate temporary insecure certificates for proof-of-concept deployments only. Production deployments should use certificates issued by a trusted CA.

Hostname Configuration

Servers should have their hostname resolvable by the loopback address. Ensure that each server's hostname is associated with the IP address 127.0.0.1 in the /etc/hosts file.

The following command must be run as root:

sh -c 'echo "127.0.0.1 $(hostname)" >> /etc/hosts'