Set Up the Configuration Files
Note | |
---|---|
To enable Kerberos for clusters with dual home network setting, each HBase RegionServer must have its own key. See Setting Up Security for Manual Installs. |
You must set up several configuration files for HBase and ZooKeeper. Hortonworks provides a set of configuration files that represent a working ZooKeeper configuration. (See Download Companion Files). You can use these files as a reference point, however, you need to modify them to match your own cluster environment.
If you choose to use the provided configuration files to set up your ZooKeeper environment, complete the following steps:
Extract the HBase configuration files to a temporary directory.
The files are located in the
configuration_files/hbase
directory in the companion files.Modify the configuration files.
In the respective temporary directories, locate the following files and modify the properties based on your environment.
Review the
zoo.cfg
file and locate the ZooKeeper servers.dataDir=$zk.data.directory.path server.1=$zk.server1.full.hostname:2888:3888 server.2=$zk.server2.full.hostname:2888:3888 server.3=$zk.server3.full.hostname:2888:3888
Edit hbase-site.xml and modify the following properties:
<property> <name>hbase.rootdir</name> <value>hdfs://$hbase.namenode.full.hostname:8020/apps/hbase/data</value> <description>Enter the HBase NameNode server hostname</description> </property> <property> <name>hbase.zookeeper.quorum</name> <value>$zk.server1.full.hostname,$zk.server2.full.hostname,$zk.server3.full.hostname</value> <description>Comma separated list of ZooKeeper servers (match to what is specified in zoo.cfg but without portnumbers)</description> </property>
If you are using a REST server to connect to HBase secured by Kerberos:
You must also add the following properties to
hbase-site.xml
:<property> <name>hbase.rest.authentication.type</name> <value>kerberos</value> <description>Enter the authentication method for the REST server.</description> </property> <property> <name>hbase.rest.kerberos.principal</name> <value>hbase/_HOST@EXAMPLE.COM</value> <description>Enter the Kerberos principal for the REST server to use to interact with HBase.</description> </property> <property> <name>hbase.rest.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> <description>Enter the location of the keytab file for the REST server to use to interact with HBase.</description> </property> <property> <name>hbase.rest.authentication.kerberos.principal</name> <value>HTTP/_HOST@EXAMPLE.COM</value> <description>Enter the Kerberos principal for accepting SPNEGO-authenticated REST requests.</description> </property> <property> <name>hbase.rest.authentication.kerberos.keytab</name> <value>/etc/security/keytabs/spnego.service.keytab</value> <description>Enter the location of the keytab file for accepting SPNEGO-authenticated REST requests.</description> </property>
Important You must set the primary component part of the value for hbase.rest.authentication.kerberos.principal to
HTTP
. SPNEGO authentication requiresthat the Kerberos principal's primary component (the first element, up to the forward-slash ("/") or at-symbol ("@") to beHTTP
.After adding these properties to the
hbase-site.xml
file, you must grant HBase permissions to the user specified by the value of the hbase.rest.kerberos.principal property:grant '<user-name>', '<permissions>', '<table>' [, '<column-family>' [, '<column-qualifier>']]
For example, if user =
HTTP
, permissions =RWXCA
, table =sales
, and column =1
:grant 'hbase', 'RWXCA', 'sales', '1'
Ensure that the
core-site.xml
file also contains the corresponding proxy user configuration properties for the configured REST server user.<property> <name>hadoop.proxyuser.USER.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.USER.groups</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.USER.users</name> <value>*</value> </property>
For example, if user =
hbase
and we wanted to allow the usersalice
andbob
to be impersonated only from the REST server host10.0.0.1
<property> <name>hadoop.proxyuser.hbase.hosts</name> <value>10.0.0.1</value> </property> <property> <name>hadoop.proxyuser.hbase.users</name> <value>alice,bob</value> </property>
Edit the regionservers file and list all the RegionServers hostnames (separated by newline character) in your environment. For example, see the sample regionservers file with hostnames RegionServer1 through RegionServer9. Use full host names (FQDNs).
RegionServer1 RegionServer2 RegionServer3 RegionServer4 RegionServer5 RegionServer6 RegionServer7 RegionServer8 RegionServer9
Copy the configuration files.
On all hosts create the config directory:
rm -r $HBASE_CONF_DIR; mkdir -p $HBASE_CONF_DIR;
Copy all of the HBase configuration files to the $HBASE_CONF_DIR.
Set appropriate permissions:
chmod a+x $HBASE_CONF_DIR/; chown -R $HBASE_USER:$HADOOP_GROUP $HBASE_CONF_DIR/../; chmod -R 755 $HBASE_CONF_DIR/../
where:
$HBASE_CONF_DIR is the directory to store the HBase configuration files. For example,
/etc/hbase/conf
.$HBASE_USER is the user owning the HBase services. For example, hbase.
Review
hbase-site.xml
andhbase-env.sh
. In thehbase-env.sh
file, check the Java heap size for HBase master and Region servers (Xms and Xmx settings in HBASE_MASTER_OPTS and HBASE_REGIONSERVER_OPTS). Compare the Region server heap size with the recommended HBase memory values listed in Table 1.6 in Determine HDP Memory Configuration Settings.