Skip to content

Split View: Secured(Kerberized) HBase 구축하기.

|

Secured(Kerberized) HBase 구축하기.

Overview

HBase를 secure하게 관리하고 싶다면, kerberos 인증을 적용해야한다. HBase에 kerberos를 적용하기 Hadoop과 zookeeper 컴포넌트에 의존적이기 때문에 hadoop과 zookeeper도 secure하게 관리되어야한다. hadoop에 kerberos를 적용하는 방법은 Secured(Kerberized) Hadoop 구축하기 를 참고하고,zookeeper에 kerberos를 적용하는 법은 Secured(Kerberized) Zookeeper 구축하기를 참고한다.

또는 HBase 공식문서에서 Security 부분 hbase reference book (security)을 참고한다.

keytab 생성

hbase/{FQDN}@{realm} 형식의 principal이 kerberos에 등록되어야한다. 그리고 적절한 위치(ex /etc/hbase.keytab)에 keytab을 위치시킨다. 물론 HMaster나 region-servver는 hbase계정으로 실행하여야한다.

Configurations 변경

configuratoin 파일을 아래를 참고하여 수정한다.

hbase-site.xml
<configuration>
  <property>
    <name>hbase.cluster.distributed</name>
    <value>true</value>
  </property>
  <property>
    <name>hbase.tmp.dir</name>
    <value>./tmp</value>
  </property>
  <property>
      <name>hbase.rootdir</name>
      <value>hdfs://mycluster/hbase</value>
  </property>
    <property>
    <name>hbase.unsafe.stream.capability.enforce</name>
    <value>false</value>
  </property>
  <property>
    <name>hbase.zookeeper.quorum</name>
    <value>hadoop1.mysite.com,hadoop2.mysite.com,hadoop3.mysite.com</value>
  </property>
  <property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.security.authorization</name>
    <value>true</value>
  </property>
  <property>
     <name>hbase.superuser</name>
     <value>hbase</value>
  </property>
  <property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>
  <property>
     <name>hbase.coprocessor.master.classes</name>
     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>
  <property>
     <name>hbase.rpc.engine</name>
     <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
  </property>
  <property>
    <name>hbase.rpc.protection</name>
    <value>authentication</value>
  </property>
  <property>
    <name>hbase.zookeeper.client.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>

<property>
    <name>hbase.master.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>

<property>
    <name>hbase.master.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>

<property>
    <name>hbase.regionserver.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>
<property>
    <name>hbase.regionserver.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>
<property>
    <name>hbase.client.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>
<property>
    <name>hbase.client.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>
</configuration>

그리고 아래와 같이, conf 폴더 아래에 jaas.conf 파일을 만들어 주는데, 이때 principal 부분에 현재 호스트에 맞게 입력해준다.

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  useTicketCache=false
  keyTab="/etc/hbase.keytab"
  principal="hbase/hadoop1.mysite.com@CHAOS.ORDER.COM";
};

Zookeeper, HBase 재시작

Zookeeper와 HBase를 재시작 해주면, HBase를 secure하게 사용할 수 있다. kerberos를 적용하게 되면, Table이나 Namespace 최신 HBase의 경우 row나 cell 단위로 ACL(Access Control List)을 관리하여 접근 제어가 가능하게 된다.

Building a Secured (Kerberized) HBase Cluster

Overview

If you want to manage HBase securely, you need to apply Kerberos authentication. Since applying Kerberos to HBase depends on Hadoop and ZooKeeper components, both Hadoop and ZooKeeper must also be managed securely. For applying Kerberos to Hadoop, refer to Building a Secured (Kerberized) Hadoop, and for applying Kerberos to ZooKeeper, refer to Building a Secured (Kerberized) ZooKeeper.

Alternatively, refer to the Security section of the HBase official documentation: hbase reference book (security).

Creating a Keytab

A principal in the format hbase/{FQDN}@{realm} must be registered in Kerberos. Then, place the keytab in an appropriate location (e.g., /etc/hbase.keytab). Of course, HMaster and RegionServer must be run with the hbase account.

Changing Configurations

Modify the configuration file as shown below.

hbase-site.xml
<configuration>
  <property>
    <name>hbase.cluster.distributed</name>
    <value>true</value>
  </property>
  <property>
    <name>hbase.tmp.dir</name>
    <value>./tmp</value>
  </property>
  <property>
      <name>hbase.rootdir</name>
      <value>hdfs://mycluster/hbase</value>
  </property>
    <property>
    <name>hbase.unsafe.stream.capability.enforce</name>
    <value>false</value>
  </property>
  <property>
    <name>hbase.zookeeper.quorum</name>
    <value>hadoop1.mysite.com,hadoop2.mysite.com,hadoop3.mysite.com</value>
  </property>
  <property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.security.authorization</name>
    <value>true</value>
  </property>
  <property>
     <name>hbase.superuser</name>
     <value>hbase</value>
  </property>
  <property>
    <name>hbase.coprocessor.region.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>
  <property>
     <name>hbase.coprocessor.master.classes</name>
     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>
  <property>
     <name>hbase.rpc.engine</name>
     <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
  </property>
  <property>
    <name>hbase.rpc.protection</name>
    <value>authentication</value>
  </property>
  <property>
    <name>hbase.zookeeper.client.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>

<property>
    <name>hbase.master.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>

<property>
    <name>hbase.master.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>

<property>
    <name>hbase.regionserver.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>
<property>
    <name>hbase.regionserver.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>
<property>
    <name>hbase.client.kerberos.principal</name>
    <value>hbase/_HOST@CHAOS.ORDER.COM</value>
  </property>
<property>
    <name>hbase.client.keytab.file</name>
    <value>/etc/hbase.keytab</value>
  </property>
</configuration>

Then, create a jaas.conf file under the conf folder as shown below. Make sure to enter the principal matching the current host.

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  useTicketCache=false
  keyTab="/etc/hbase.keytab"
  principal="hbase/hadoop1.mysite.com@CHAOS.ORDER.COM";
};

Restarting ZooKeeper and HBase

After restarting ZooKeeper and HBase, you can use HBase securely. Once Kerberos is applied, you can manage ACL (Access Control List) at the Table, Namespace, and in recent HBase versions, even at the row or cell level, enabling fine-grained access control.

Quiz

Q1: What is the main topic covered in "Building a Secured (Kerberized) HBase Cluster"?

Learn how to apply Kerberos security to HBase.

Q2: What are the key takeaways from this article? Learn how to apply Kerberos security to HBase.

Q3: How can the concepts in this article be applied in practice? Consider the practical examples and patterns discussed throughout the post.