In this tutorial I will show you how to use Kerberos/SSL with HBase. I will use self signed certs for this example. Before you begin ensure you have installed Kerberos Server, Hadoop and Zookeeper.
This assumes your hostname is “hadoop”
We will install a Master, RegionServer and Rest Client
Create Kerberos Principals
cd /etc/security/keytabs/ sudo kadmin.local #You can list princepals listprincs #Create the following principals addprinc -randkey hbase/hadoop@REALM.CA addprinc -randkey hbaseHTTP/hadoop@REALM.CA #Create the keytab files. #You will need these for Hadoop to be able to login xst -k hbase.service.keytab hbase/hadoop@REALM.CA xst -k hbaseHTTP.service.keytab hbaseHTTP/hadoop@REALM.CA
Set Keytab Permissions/Ownership
sudo chown root:hadoopuser /etc/security/keytabs/* sudo chmod 750 /etc/security/keytabs/*
Install HBase
wget http://apache.forsale.plus/hbase/2.1.0/hbase-2.1.0-bin.tar.gz tar -zxvf hbase-2.1.0-bin.tar.gz sudo mv hbase-2.1.0 /usr/local/hbase/ cd /usr/local/hbase/conf/
Setup .bashrc:
sudo nano ~/.bashrc
Add the following to the end of the file.
#HBASE VARIABLES START
export HBASE_HOME=/usr/local/hbase
export PATH=$PATH:$HBASE_HOME/bin
export HBASE_CONF_DIR=$HBASE_HOME/conf
#HBASE VARIABLES END
source ~/.bashrc
hbase_client_jaas.conf
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true; };
hbase_server_jaas.conf
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false keyTab="/etc/security/keytabs/hbase.service.keytab" principal="hbase/hadoop@REALM.CA"; };
regionservers
hadoop
hbase-env.sh
Add or modify the following settings.
export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/ export HBASE_CONF_DIR=${HBASE_CONF_DIR:-/usr/local/hbase/conf} export HADOOP_CONF_DIR=${HADOOP_CONF_DIR:-/usr/local/hadoop/etc/hadoop} export HBASE_CLASSPATH="$CLASSPATH:$HADOOP_CONF_DIR" export HBASE_REGIONSERVERS=${HBASE_CONF_DIR}/regionservers export HBASE_LOG_DIR=${HBASE_HOME}/logs export HBASE_PID_DIR=/home/hadoopuser export HBASE_MANAGES_ZK=false export HBASE_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_client_jaas.conf" export HBASE_MASTER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_server_jaas.conf" export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase_server_jaas.conf"
hbase-site.xml
<configuration> <property> <name>hbase.rootdir</name> <value>hdfs://hadoop:54310/hbase</value> </property> <property> <name>hbase.zookeeper.property.dataDir</name> <value>/usr/local/zookeeper/data</value> </property> <property> <name>hbase.cluster.distributed</name> <value>true</value> </property> <property> <name>hbase.regionserver.kerberos.principal</name> <value>hbase/_HOST@REALM.CA</value> </property> <property> <name>hbase.regionserver.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> </property> <property> <name>hbase.master.kerberos.principal</name> <value>hbase/_HOST@REALM.CA</value> </property> <property> <name>hbase.master.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> </property> <property> <name>hbase.security.authentication.spnego.kerberos.principal</name> <value>hbaseHTTP/_HOST@REALM.CA</value> </property> <property> <name>hbase.security.authentication.spnego.kerberos.keytab</name> <value>/etc/security/keytabs/hbaseHTTP.service.keytab</value> </property> <property> <name>hbase.security.authentication</name> <value>kerberos</value> </property> <property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider</value> </property> <property> <name>hbase.rpc.protection</name> <value>integrity</value> </property> <property> <name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.security.authentication.ui</name> <value>kerberos</value> <description>Controls what kind of authentication should be used for the HBase web UIs.</description> </property> <property> <name>hbase.master.port</name> <value>16000</value> </property> <property> <name>hbase.master.info.bindAddress</name> <value>0.0.0.0</value> </property> <property> <name>hbase.master.info.port</name> <value>16010</value> </property> <property> <name>hbase.regionserver.hostname</name> <value>hadoop</value> </property> <property> <name>hbase.regionserver.port</name> <value>16020</value> </property> <property> <name>hbase.regionserver.info.port</name> <value>16030</value> </property> <property> <name>hbase.regionserver.info.bindAddress</name> <value>0.0.0.0</value> </property> <property> <name>hbase.master.ipc.address</name> <value>0.0.0.0</value> </property> <property> <name>hbase.regionserver.ipc.address</name> <value>0.0.0.0</value> </property> <property> <name>hbase.ssl.enabled</name> <value>true</value> </property> <property> <name>hadoop.ssl.enabled</name> <value>true</value> </property> <property> <name>ssl.server.keystore.keypassword</name> <value>startrek</value> </property> <property> <name>ssl.server.keystore.password</name> <value>startrek</value> </property> <property> <name>ssl.server.keystore.location</name> <value>/etc/security/serverKeys/keystore.jks</value> </property> <property> <name>hbase.rest.ssl.enabled</name> <value>true</value> </property> <property> <name>hbase.rest.ssl.keystore.store</name> <value>/etc/security/serverKeys/keystore.jks</value> </property> <property> <name>hbase.rest.ssl.keystore.password</name> <value>startrek</value> </property> <property> <name>hbase.rest.ssl.keystore.keypassword</name> <value>startrek</value> </property> <property> <name>hbase.superuser</name> <value>hduser</value> </property> <property> <name>hbase.tmp.dir</name> <value>/tmp/hbase-${user.name}</value> </property> <property> <name>hbase.local.dir</name> <value>${hbase.tmp.dir}/local</value> </property> <property> <name>hbase.zookeeper.property.clientPort</name> <value>2181</value> </property> <property> <name>hbase.unsafe.stream.capability.enforce</name> <value>false</value> </property> <property> <name>hbase.zookeeper.quorum</name> <value>hadoop</value> </property> <property> <name>zookeeper.znode.parent</name> <value>/hbase-secure</value> </property> <property> <name>hbase.regionserver.dns.interface</name> <value>enp0s3</value> </property> <property> <name>hbase.rest.authentication.type</name> <value>kerberos</value> </property> <property> <name>hadoop.proxyuser.HTTP.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.HTTP.hosts</name> <value>*</value> </property> <property> <name>hbase.rest.authentication.kerberos.keytab</name> <value>/etc/security/keytabs/hbaseHTTP.service.keytab</value> </property> <property> <name>hbase.rest.authentication.kerberos.principal</name> <value>hbaseHTTP/_HOST@REALM.CA</value> </property> <property> <name>hbase.rest.kerberos.principal</name> <value>hbase/_HOST@REALM.CA</value> </property> <property> <name>hbase.rest.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> </property> </configuration>
Change Ownership of HBase files
sudo chown hadoopuser:hadoopuser -R /usr/local/hbase/*
Hadoop HDFS Config Changes
You will need to add two properties into the core-site.xml file of Hadoop.
nano /usr/local/hadoop/etc/hadoop/core-site.xml <property> <name>hadoop.proxyuser.hbase.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hbase.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.HTTP.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.HTTP.groups</name> <value>*</value> </property>
AutoStart
crontab -e @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start master @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start regionserver @reboot /usr/local/hbase/bin/hbase-daemon.sh --config /usr/local/hbase/conf/ start rest --infoport 17001 -p 17000
Validation
kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/hadoop@REALM.ca hbase shell status 'detailed' whoami kdestroy
References
https://hbase.apache.org/0.94/book/security.html
https://pivotalhd-210.docs.pivotal.io/doc/2100/webhelp/topics/ConfiguringSecureHBase.html
https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-1.html
https://hbase.apache.org/book.html#_using_secure_http_https_for_the_web_ui
You must be logged in to post a comment.