Configure secure client side access for HBase
HBase configured for secure client access is expected to be running on top of a secure HDFS cluster. HBase must be able to authenticate to HDFS services.
Provide a Kerberos principal to the HBase client user using the instructions provided here.
Option I: Provide Kerberos principal to normal HBase clients.
For normal HBase clients, Hortonworks recommends setting up a password to the principal.
Set
maxrenewlife
.The client principal's
maxrenewlife
should be set high enough so that it allows enough time for the HBase client process to complete. Client principals are not renewed automatically.For example, if a user runs a long-running HBase client process that takes at most three days, we might create this user's principal within kadmin with the following command:
addprinc -maxrenewlife 3days
Option II: Provide Kerberos principal to long running HBase clients.
Set-up a keytab file for the principal and copy the resulting keytab files to where the client daemon will execute.
Ensure that you make this file readable only to the user account under which the daemon will run.
On every HBase client, add the following properties to the
file:$HBASE_CONF_DIR
/hbase-site.xml<property> <name>hbase.security.authentication</name> <value>kerberos</value> </property>
Note The client environment must be logged in to Kerberos from KDC or keytab via the
kinit
command before communication with the HBase cluster is possible. Note that the client will not be able to communicate with the cluster if thehbase.security.authentication
property in the client- and server-side site files fails to match.<property> <name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> </property>