Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configure HBase Master

Edit $HBASE_CONF_DIR/hbase-site.xml file on your HBase Master server to add the following information ($HBASE_CONF_DIR is the directory to store the HBase configuration files. For example, /etc/hbase/conf) :

[Note]Note

There are no default values. The following are all examples.

  <property>    
        <name>hbase.master.keytab.file</name>    
        <value>/etc/security/keytabs/hbase.service.keytab</value>    
        <description>Full path to the kerberos keytab file to use 
                     for logging in the configured HMaster server principal.    
        </description>  
</property>
<property>    
        <name>hbase.master.kerberos.principal</name>    
        <value>hbase/_HOST@EXAMPLE.COM</value>    
        <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
        The kerberos principal name that should be used to run the HMaster process.  
        The principal name should be in the form: user/hostname@DOMAIN. 
 If "_HOST" is used as the hostname portion, 
        it will be replaced with the actual hostname of the running instance.    
        </description>  
</property> 
<property>    
        <name>hbase.regionserver.keytab.file</name>    
        <value>/etc/security/keytabs/hbase.service.keytab</value>    
        <description>Full path to the kerberos keytab file to use for logging
        in the configured HRegionServer server principal.    
        </description>  
</property>
<property>    
        <name>hbase.regionserver.kerberos.principal</name>    
        <value>hbase/_HOST@EXAMPLE.COM</value>    
        <description>Ex. "hbase/_HOST@EXAMPLE.COM".
The kerberos principal name that
should be used to run the HRegionServer process. 
The 
principal name should be in the form: 
user/hostname@DOMAIN.  
If _HOST
is used as the hostname portion, it will be replaced 
with the actual hostname of the running
instance.  
An entry for this principal must exist
in the file specified in hbase.regionserver.keytab.file    
        </description>  
</property> 
<!--Additional configuration specific to HBase security -->
  
<property>    
        <name>hbase.superuser</name>    
        <value>hbase</value>    
        <description>List of users or groups (comma-separated), who are
 allowed full privileges, regardless of stored ACLs, across the cluster. 
Only used when HBase security is enabled.    
        </description>  
</property>    
  
<property>    
        <name>hbase.coprocessor.region.classes</name>    
        <value>org.apache.hadoop.hbase.security.token.TokenProvider,
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
org.apache.hadoop.hbase.security.access.AccessController </value>    
        <description>A comma-separated list of Coprocessors that are loaded by default on all tables. 
        </description>  
</property> 
<property>    
        <name>hbase.security.authentication</name>    
        <value>kerberos</value>    
        
</property>  
<property>    
        <name>hbase.rpc.engine</name>    
        <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>    
        
</property>   
<property>    
        <name>hbase.security.authorization</name>    
        <value>true</value>  
        <description>Enables HBase authorization. 
Set the value of this property to false to disable HBase authorization.
        </description>  
        
</property>
<property>    
        <name>hbase.coprocessor.master.classes</name>    
        <value>org.apache.hadoop.hbase.security.access.AccessController</value>    
        
</property> 
<property>    
        <name>hbase.bulkload.staging.dir</name>    
        <value>/apps/hbase/staging</value>    
        <description>Directory in the default filesystem, 
owned by the hbase user, and has permissions(-rwx--x--x, 711) </description>  
        
</property>   

For more information on bulk loading in secure mode, see HBase Secure BulkLoad. Note that the hbase.bulkload.staging.dir is created by HBase.