HBase: Kerberize/SSL Installation

(Last Updated On: )

In this tutorial I will show you how to use Kerberos/SSL with HBase. I will use self signed certs for this example. Before you begin ensure you have installed Kerberos Server, Hadoop and Zookeeper.

This assumes your hostname is “hadoop”

We will install a Master, RegionServer and Rest Client

Create Kerberos Principals

  1. cd /etc/security/keytabs/
  2.  
  3. sudo kadmin.local
  4.  
  5. #You can list princepals
  6. listprincs
  7.  
  8. #Create the following principals
  9. addprinc -randkey hbase/hadoop@REALM.CA
  10. addprinc -randkey hbaseHTTP/hadoop@REALM.CA
  11.  
  12. #Create the keytab files.
  13. #You will need these for Hadoop to be able to login
  14. xst -k hbase.service.keytab hbase/hadoop@REALM.CA
  15. xst -k hbaseHTTP.service.keytab hbaseHTTP/hadoop@REALM.CA

Set Keytab Permissions/Ownership

  1. sudo chown root:hadoopuser /etc/security/keytabs/*
  2. sudo chmod 750 /etc/security/keytabs/*

Install HBase

  1. wget http://apache.forsale.plus/hbase/2.1.0/hbase-2.1.0-bin.tar.gz
  2. tar -zxvf hbase-2.1.0-bin.tar.gz
  3. sudo mv hbase-2.1.0 /usr/local/hbase/
  4. cd /usr/local/hbase/conf/

Setup .bashrc:

  1.  sudo nano ~/.bashrc

Add the following to the end of the file.

#HBASE VARIABLES START
export HBASE_HOME=/usr/local/hbase
export PATH=$PATH:$HBASE_HOME/bin
export HBASE_CONF_DIR=$HBASE_HOME/conf
#HBASE VARIABLES END

  1.  source ~/.bashrc

hbase_client_jaas.conf

  1. Client {
  2.         com.sun.security.auth.module.Krb5LoginModule required
  3.         useKeyTab=false
  4.         useTicketCache=true;
  5. };

hbase_server_jaas.conf

  1. Client {
  2.         com.sun.security.auth.module.Krb5LoginModule required
  3.         useKeyTab=true
  4.         useTicketCache=false
  5.         keyTab="/etc/security/keytabs/hbase.service.keytab"
  6.         principal="hbase/hadoop@REALM.CA";
  7. };

regionservers

  1. hadoop

hbase-env.sh

Add or modify the following settings.

  1. export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
  2. export HBASE_CONF_DIR=${HBASE_CONF_DIR:-/usr/local/hbase/conf}
  3. export HADOOP_CONF_DIR=${HADOOP_CONF_DIR:-/usr/local/hadoop/etc/hadoop}
  4. export HBASE_CLASSPATH="$CLASSPATH:$HADOOP_CONF_DIR"
  5. export HBASE_REGIONSERVERS=${HBASE_CONF_DIR}/regionservers
  6. export HBASE_LOG_DIR=${HBASE_HOME}/logs
  7. export HBASE_PID_DIR=/home/hadoopuser
  8. export HBASE_MANAGES_ZK=false
  9. export HBASE_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_client_jaas.conf"
  10. export HBASE_MASTER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_server_jaas.conf"
  11. export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_server_jaas.conf"

hbase-site.xml

  1. <configuration>
  2. 	<property>
  3. 		<name>hbase.rootdir</name>
  4. 		<value>hdfs://hadoop:54310/hbase</value>
  5. 	</property>
  6. 	<property>
  7. 		<name>hbase.zookeeper.property.dataDir</name>
  8. 		<value>/usr/local/zookeeper/data</value>
  9. 	</property>
  10. 	<property>
  11. 		<name>hbase.cluster.distributed</name>
  12. 		<value>true</value>
  13. 	</property>
  14. 	<property>
  15. 		<name>hbase.regionserver.kerberos.principal</name>
  16. 		<value>hbase/_HOST@REALM.CA</value>
  17. 	</property>
  18. 	<property>
  19. 		<name>hbase.regionserver.keytab.file</name>
  20. 		<value>/etc/security/keytabs/hbase.service.keytab</value>
  21. 	</property>
  22. 	<property>
  23. 		<name>hbase.master.kerberos.principal</name>
  24. 		<value>hbase/_HOST@REALM.CA</value>
  25. 	</property>
  26. 	<property>
  27. 		<name>hbase.master.keytab.file</name>
  28. 		<value>/etc/security/keytabs/hbase.service.keytab</value>
  29. 	</property>
  30. 	<property>
  31. 		<name>hbase.security.authentication.spnego.kerberos.principal</name>
  32. 		<value>hbaseHTTP/_HOST@REALM.CA</value>
  33. 	</property>
  34. 	<property>
  35. 		<name>hbase.security.authentication.spnego.kerberos.keytab</name>
  36. 		<value>/etc/security/keytabs/hbaseHTTP.service.keytab</value>
  37. 	</property>
  38. 	<property>
  39. 		<name>hbase.security.authentication</name>
  40. 		<value>kerberos</value>
  41. 	</property>
  42. 	<property>
  43. 		<name>hbase.security.authorization</name>
  44. 		<value>true</value>
  45. 	</property>
  46. 	<property>
  47. 		<name>hbase.coprocessor.region.classes</name>
  48. 		<value>org.apache.hadoop.hbase.security.token.TokenProvider</value>
  49. 	</property>
  50. 	<property>
  51. 		<name>hbase.rpc.protection</name>
  52. 		<value>integrity</value>
  53. 	</property>
  54. 	<property>
  55. 		<name>hbase.rpc.engine</name>
  56. 		<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
  57. 	</property>
  58. 	<property>
  59. 		<name>hbase.coprocessor.master.classes</name>
  60. 		<value>org.apache.hadoop.hbase.security.access.AccessController</value>
  61. 	</property>
  62. 	<property>
  63. 		<name>hbase.coprocessor.region.classes</name>
  64. 		<value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
  65. 	</property>
  66. 	<property>
  67. 		<name>hbase.security.authentication.ui</name>
  68. 		<value>kerberos</value>
  69. 		<description>Controls what kind of authentication should be used for the HBase web UIs.</description>
  70. 	</property>
  71. 	<property>
  72. 		<name>hbase.master.port</name>
  73. 		<value>16000</value>
  74. 	</property>
  75. 	<property>
  76. 		<name>hbase.master.info.bindAddress</name>
  77. 		<value>0.0.0.0</value>
  78. 	</property>
  79. 	<property>
  80. 		<name>hbase.master.info.port</name>
  81. 		<value>16010</value>
  82. 	</property>
  83. 	<property>
  84. 		<name>hbase.regionserver.hostname</name>
  85. 		<value>hadoop</value>
  86. 	</property>
  87. 	<property>
  88. 		<name>hbase.regionserver.port</name>
  89. 		<value>16020</value>
  90. 	</property>
  91. 	<property>
  92. 		<name>hbase.regionserver.info.port</name>
  93. 		<value>16030</value>
  94. 	</property>
  95. 	<property>
  96. 		<name>hbase.regionserver.info.bindAddress</name>
  97. 		<value>0.0.0.0</value>
  98. 	</property>
  99. 	<property>
  100. 		<name>hbase.master.ipc.address</name>
  101. 		<value>0.0.0.0</value>
  102. 	</property>
  103. 	<property>
  104. 		<name>hbase.regionserver.ipc.address</name>
  105. 		<value>0.0.0.0</value>
  106. 	</property>
  107. 	<property>
  108. 		<name>hbase.ssl.enabled</name>
  109. 		<value>true</value>
  110. 	</property>
  111. 	<property>
  112. 		<name>hadoop.ssl.enabled</name>
  113. 		<value>true</value>
  114. 	</property>
  115. 	<property>
  116. 		<name>ssl.server.keystore.keypassword</name>
  117. 		<value>startrek</value>
  118. 	</property>
  119. 	<property>
  120. 		<name>ssl.server.keystore.password</name>
  121. 		<value>startrek</value>
  122. 	</property>
  123. 	<property>
  124. 		<name>ssl.server.keystore.location</name>
  125. 		<value>/etc/security/serverKeys/keystore.jks</value>
  126. 	</property>
  127. 	<property>
  128. 		<name>hbase.rest.ssl.enabled</name>
  129. 		<value>true</value>
  130. 	</property>
  131. 	<property>
  132. 		<name>hbase.rest.ssl.keystore.store</name>
  133. 		<value>/etc/security/serverKeys/keystore.jks</value>
  134. 	</property>
  135. 	<property>
  136. 		<name>hbase.rest.ssl.keystore.password</name>
  137. 		<value>startrek</value>
  138. 	</property>
  139. 	<property>
  140. 		<name>hbase.rest.ssl.keystore.keypassword</name>
  141. 		<value>startrek</value>
  142. 	</property>
  143. 	<property>
  144. 		<name>hbase.superuser</name>
  145. 		<value>hduser</value>
  146. 	</property>
  147. 	<property>
  148. 		<name>hbase.tmp.dir</name>
  149. 		<value>/tmp/hbase-${user.name}</value>
  150. 	</property>
  151. 	<property>
  152. 		<name>hbase.local.dir</name>
  153. 		<value>${hbase.tmp.dir}/local</value>
  154. 	</property>
  155. 	<property>
  156. 		<name>hbase.zookeeper.property.clientPort</name>
  157. 		<value>2181</value>
  158. 	</property>
  159. 	<property>
  160. 		<name>hbase.unsafe.stream.capability.enforce</name>
  161. 		<value>false</value>
  162. 	</property>
  163. 	<property>
  164. 		<name>hbase.zookeeper.quorum</name>
  165. 		<value>hadoop</value>
  166. 	</property>
  167. 	<property>
  168. 		<name>zookeeper.znode.parent</name>
  169. 		<value>/hbase-secure</value>
  170. 	</property>
  171. 	<property>
  172. 		<name>hbase.regionserver.dns.interface</name>
  173. 		<value>enp0s3</value>
  174. 	</property>
  175.         <property>
  176.                 <name>hbase.rest.authentication.type</name>
  177.                 <value>kerberos</value>
  178.         </property>
  179.         <property>
  180.                 <name>hadoop.proxyuser.HTTP.groups</name>
  181.                 <value>*</value>
  182.         </property>
  183.         <property>
  184.                 <name>hadoop.proxyuser.HTTP.hosts</name>
  185.                 <value>*</value>
  186.         </property>
  187.         <property>
  188.                 <name>hbase.rest.authentication.kerberos.keytab</name>
  189.                 <value>/etc/security/keytabs/hbaseHTTP.service.keytab</value>
  190.         </property>
  191.         <property>
  192.                 <name>hbase.rest.authentication.kerberos.principal</name>
  193.                 <value>hbaseHTTP/_HOST@REALM.CA</value>
  194.         </property>
  195.         <property>
  196.                 <name>hbase.rest.kerberos.principal</name>
  197.                 <value>hbase/_HOST@REALM.CA</value>
  198.         </property>
  199.         <property>
  200.                 <name>hbase.rest.keytab.file</name>
  201.                 <value>/etc/security/keytabs/hbase.service.keytab</value>
  202.         </property>
  203. </configuration>

Change Ownership of HBase files

  1. sudo chown hadoopuser:hadoopuser -R /usr/local/hbase/*

Hadoop HDFS Config Changes

You will need to add two properties into the core-site.xml file of Hadoop.

  1. nano /usr/local/hadoop/etc/hadoop/core-site.xml
  2.  
  3. <property>
  4. 	<name>hadoop.proxyuser.hbase.hosts</name>
  5. 	<value>*</value>
  6. </property>
  7. <property>
  8. 	<name>hadoop.proxyuser.hbase.groups</name>
  9. 	<value>*</value>
  10. </property>
  11. <property>
  12. 	<name>hadoop.proxyuser.HTTP.hosts</name>
  13. 	<value>*</value>
  14. </property>
  15. <property>
  16. 	<name>hadoop.proxyuser.HTTP.groups</name>
  17. 	<value>*</value>
  18. </property>

AutoStart

  1. crontab -e
  2.  
  3. @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start master
  4. @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start regionserver
  5. @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start rest --infoport 17001 -p 17000

Validation

  1. kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/hadoop@REALM.ca
  2. hbase shell
  3. status 'detailed'
  4. whoami
  5. kdestroy

References

https://hbase.apache.org/0.94/book/security.html
https://pivotalhd-210.docs.pivotal.io/doc/2100/webhelp/topics/ConfiguringSecureHBase.html
https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-1.html
https://hbase.apache.org/book.html#_using_secure_http_https_for_the_web_ui