The HBase configuration provides most of the settings that enable secure Kerberos environments for Phoenix. However, there are additional configuration properties that complete the setup of Kerberos security for the Phoenix Query Server.

Prerequisite: The value of the hbase.security.authentication property in the $HBASE_CONF_DIR/hbase-site.xmlfile must be set to kerberos.

Provide the Kerberos principal and keytab for the Phoenix Query Server in the $HBASE_CONF_DIR/hbase-site.xml file, as follows:

<property>
    <name>phoenix.queryserver.kerberos.principal</name>
    <value>hbase/_HOST@EXAMPLE.COM</value>
    <description>The Kerberos principal name that should be used to run the Phoenix Query Server process.
    The principal name should be in the form: user/hostname@DOMAIN.  If "_HOST" is used as the hostname
    portion, it will be replaced with the actual hostname of the running instance.
    </description>
</property>

<property>
    <name>phoenix.queryserver.keytab.file</name>
    <value>/etc/security/keytabs/hbase.service.keytab</value>
    <description>Full path to the Kerberos keytab file to use for logging
    in the configured Phoenix Query Server service principal.
    </description>
</property>