For Hbase to run on a secured cluster, Hbase must be able to authenticate
itself to HDFS. To the hbase-site.xml file on your HBase
server, you must add the following information. There are no default values; the
following are all only examples:
Table 13.6. hbase-site.xml
| Property Name | Property Value | Description |
|---|---|---|
| hbase.master.keytab.file | /etc/security/keytabs/hm.service.keytab | The keytab for the HMaster service principal |
| hbase.master.kerberos.principal | hm/_HOST@EXAMPLE.COM | The Kerberos principal name that should be used to run the
HMaster process. If _HOST is used as the
hostname portion, it will be replaced with the actual
hostname of the running instance. |
| hbase.regionserver.keytab.file | /etc/security/keytabs/rs.service.keytab | The keytab for the HRegionServer service principal |
| hbase.regionserver.kerberos.principal | rs/_HOST@EXAMPLE.COM | The Kerberos principal name that should be used to run the
HRegionServer process. If _HOST is used as the
hostname portion, it will be replaced with the actual
hostname of the running instance. |
| hbase.superuser | hbase | Comma-separated List of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled. |
The XML for these entries:
<property>
<name>hbase.master.keytab.file</name>
<value>/etc/security/keytabs/hm.service.keytab</value>
<description>Full path to the kerberos keytab file to use for logging
in the configured HMaster server principal.
</description>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hm/_HOST@EXAMPLE.COM</value>
<description>Ex. "hbase/_HOST@EXAMPLE.COM".
The kerberos principal name that
should be used to run the HMaster process. The
principal name should be in
the form: user/hostname@DOMAIN. If "_HOST" is used
as the hostname portion, it will be replaced with the actual hostname of the running
instance.
</description>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/etc/security/keytabs/rs.service.keytab</value>
<description>Full path to the kerberos keytab file to use for logging
in the configured HRegionServer server principal.
</description>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>rs/_HOST@EXAMPLE.COM</value>
<description>Ex. "hbase/_HOST@EXAMPLE.COM".
The kerberos principal name that
should be used to run the HRegionServer process. The
principal name should be in the form:
user/hostname@DOMAIN. If _HOST
is used as the hostname portion, it will be replaced
with the actual hostname of the running
instance. An entry for this principal must exist
in the file specified in hbase.regionserver.keytab.file
</description>
</property>
<!--Additional configuration specific to HBase security -->
<property>
<name>hbase.superuser</name>
<value>hbase</value>
<description>List of users or groups (comma-separated), who are
allowed full privileges, regardless of stored ACLs, across the cluster. Only
used when HBase security is enabled.
</description>
</property> 