- Authors
- Name
Overview
If you want to manage HBase securely, you need to apply Kerberos authentication. Since applying Kerberos to HBase depends on Hadoop and ZooKeeper components, both Hadoop and ZooKeeper must also be managed securely. For applying Kerberos to Hadoop, refer to Building a Secured (Kerberized) Hadoop, and for applying Kerberos to ZooKeeper, refer to Building a Secured (Kerberized) ZooKeeper.
Alternatively, refer to the Security section of the HBase official documentation: hbase reference book (security).
Creating a Keytab
A principal in the format hbase/{FQDN}@{realm} must be registered in Kerberos. Then, place the keytab in an appropriate location (e.g., /etc/hbase.keytab). Of course, HMaster and RegionServer must be run with the hbase account.
Changing Configurations
Modify the configuration file as shown below.
<configuration>
<property>
<name>hbase.cluster.distributed</name>
<value>true</value>
</property>
<property>
<name>hbase.tmp.dir</name>
<value>./tmp</value>
</property>
<property>
<name>hbase.rootdir</name>
<value>hdfs://mycluster/hbase</value>
</property>
<property>
<name>hbase.unsafe.stream.capability.enforce</name>
<value>false</value>
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>hadoop1.mysite.com,hadoop2.mysite.com,hadoop3.mysite.com</value>
</property>
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.superuser</name>
<value>hbase</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
<name>hbase.rpc.protection</name>
<value>authentication</value>
</property>
<property>
<name>hbase.zookeeper.client.keytab.file</name>
<value>/etc/hbase.keytab</value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hbase/_HOST@CHAOS.ORDER.COM</value>
</property>
<property>
<name>hbase.master.keytab.file</name>
<value>/etc/hbase.keytab</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hbase/_HOST@CHAOS.ORDER.COM</value>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/etc/hbase.keytab</value>
</property>
<property>
<name>hbase.client.kerberos.principal</name>
<value>hbase/_HOST@CHAOS.ORDER.COM</value>
</property>
<property>
<name>hbase.client.keytab.file</name>
<value>/etc/hbase.keytab</value>
</property>
</configuration>
Then, create a jaas.conf file under the conf folder as shown below. Make sure to enter the principal matching the current host.
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
keyTab="/etc/hbase.keytab"
principal="hbase/hadoop1.mysite.com@CHAOS.ORDER.COM";
};
Restarting ZooKeeper and HBase
After restarting ZooKeeper and HBase, you can use HBase securely. Once Kerberos is applied, you can manage ACL (Access Control List) at the Table, Namespace, and in recent HBase versions, even at the row or cell level, enabling fine-grained access control.