Overview

If you want to manage HBase securely, you need to apply Kerberos authentication. Since applying Kerberos to HBase depends on Hadoop and ZooKeeper components, both Hadoop and ZooKeeper must also be managed securely. For applying Kerberos to Hadoop, refer to [Building a Secured (Kerberized) Hadoop](https://www.youngju.dev/blog/202210/secured_hadoop), and for applying Kerberos to ZooKeeper, refer to [Building a Secured (Kerberized) ZooKeeper](https://www.youngju.dev/blog/202210/secured_zookeeper).

Alternatively, refer to the Security section of the HBase official documentation: [hbase reference book (security)](https://hbase.apache.org/book.html#security).

Creating a Keytab

A principal in the format `hbase/{FQDN}@{realm}` must be registered in Kerberos. Then, place the keytab in an appropriate location (e.g., `/etc/hbase.keytab`). Of course, HMaster and RegionServer must be run with the hbase account.

Changing Configurations

Modify the configuration file as shown below.

Then, create a jaas.conf file under the conf folder as shown below. Make sure to enter the principal matching the current host.

Client {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

useTicketCache=false

keyTab="/etc/hbase.keytab"

principal="hbase/hadoop1.mysite.com@CHAOS.ORDER.COM";

};

Restarting ZooKeeper and HBase

After restarting ZooKeeper and HBase, you can use HBase securely. Once Kerberos is applied, you can manage ACL (Access Control List) at the Table, Namespace, and in recent HBase versions, even at the row or cell level, enabling fine-grained access control.

Quiz

Q1: What is the main topic covered in "Building a Secured (Kerberized) HBase Cluster"?

Learn how to apply Kerberos security to HBase.

Learn how to apply Kerberos security to HBase.

Consider the practical examples and patterns discussed throughout the post.