Hadoop Security Guide
Also available as:
PDF
loading table of contents...

hbase-site.xml

For HBase to run on a secured cluster, HBase must be able to authenticate itself to HDFS. Add the following information to the hbase-site.xml file on your HBase server. There are no default values; the following are only examples:

Table 2.9. hbase-site.xml Property Settings -- HBase Server

Property Name

Property Value

Description

hbase.master.keytab.file

/etc/security/keytabs/hm.service.keytab

The keytab for the HMaster service principal.

hbase.master.kerberos.principal

hm/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HMaster process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.regionserver.keytab.file

/etc/security/keytabs/rs.service.keytab

The keytab for the HRegionServer service principal.

hbase.regionserver.kerberos.principal

rs/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HRegionServer process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.superuser

hbase

Comma-separated list of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled.

hbase.coprocessor.region.classes

Comma-separated list of coprocessors that are loaded by default on all tables. For any override coprocessor method, these classes will be called in order. After implementing your own coprocessor, just put it in HBase's classpath and add the fully qualified class name here. A coprocessor can also be loaded on demand by setting HTableDescriptor.

hbase.coprocessor.master.classes

Comma-separated list of org.apache.hadoop.hbase. coprocessor. MasterObserver coprocessors that are loaded by default on the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, just put it in HBase's classpath and add the fully qualified class name here.


Following is the XML for these entries:

<property> 
     <name>hbase.master.keytab.file</name> 
     <value>/etc/security/keytabs/hm.service.keytab</value> 
     <description>Full path to the kerberos keytab file to use for logging
     in the configured HMaster server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.master.kerberos.principal</name> 
     <value>hm/_HOST@EXAMPLE.COM</value> 
     <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The kerberos principal name that should be used to run the HMaster process. The
     principal name should be in the form: user/hostname@DOMAIN. If "_HOST" is used
     as the hostname portion, it will be replaced with the actual hostname of the running
     instance. 
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.keytab.file</name> 
     <value>/etc/security/keytabs/rs.service.keytab</value> 
     <description>Full path to the kerberos keytab file to use for logging
     in the configured HRegionServer server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.kerberos.principal</name> 
     <value>rs/_HOST@EXAMPLE.COM</value> 
     <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The kerberos principal name that
     should be used to run the HRegionServer process. The
     principal name should be in the form: 
     user/hostname@DOMAIN. If _HOST
     is used as the hostname portion, it will be replaced 
     with the actual hostname of the running
     instance. An entry for this principal must exist
     in the file specified in hbase.regionserver.keytab.file 
     </description> 
</property> 
 
<!--Additional configuration specific to HBase security -->
 
<property> 
     <name>hbase.superuser</name> 
     <value>hbase</value> 
     <description>List of users or groups (comma-separated), who are
     allowed full privileges, regardless of stored ACLs, across the cluster. Only
     used when HBase security is enabled. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.region.classes</name> 
     <value></value> 
     <description>A comma-separated list of Coprocessors that are loaded
     by default on all tables. For any override coprocessor method, these classes will
     be called in order. After implementing your own Coprocessor, 
     just put it in HBase's classpath and add the fully qualified class name here. A
     coprocessor can also be loaded on demand by setting HTableDescriptor. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.master.classes</name> 
     <value></value> 
     <description>A comma-separated list of 
     org.apache.hadoop.hbase.coprocessor.MasterObserver coprocessors that
     are loaded by default on the active HMaster process. For any implemented 
     coprocessor methods, the listed classes will be called in order.
     After implementing your own MasterObserver, just put it in HBase's
     classpath and add the fully qualified class name here. 
     </description> 
</property>