Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configure secure client side access for HBase

HBase configured for secure client access is expected to be running on top of a secure HDFS cluster. HBase must be able to authenticate to HDFS services.

  1. Provide a Kerberos principal to the HBase client user using the instructions provided here.

    • Option I: Provide Kerberos principal to normal HBase clients.

      For normal HBase clients, Hortonworks recommends setting up a password to the principal.

    • Set maxrenewlife.

      The client principal's maxrenewlife should be set high enough so that it allows enough time for the HBase client process to complete. Client principals are not renewed automatically.

      For example, if a user runs a long-running HBase client process that takes at most three days, we might create this user's principal within kadmin with the following command:

      addprinc -maxrenewlife 3days
    • Option II: Provide Kerberos principal to long running HBase clients.

      1. Set-up a keytab file for the principal and copy the resulting keytab files to where the client daemon will execute.

        Ensure that you make this file readable only to the user account under which the daemon will run.

  2. On every HBase client, add the following properties to the $HBASE_CONF_DIR/hbase-site.xml file:

    <property>
       <name>hbase.security.authentication</name>
        <value>kerberos</value>
    </property>
    [Note]Note

    The client environment must be logged in to Kerberos from KDC or keytab via the kinit command before communication with the HBase cluster is possible. Note that the client will not be able to communicate with the cluster if the hbase.security.authentication property in the client- and server-side site files fails to match.

    <property>    
            <name>hbase.rpc.engine</name>    
            <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>    
            
    </property>