hbase-site.xml
For HBase to run on a secured cluster, HBase must be able to authenticate
itself to HDFS. Add the following information to the
hbase-site.xml file on your HBase server. However,
include the phoenix.queryserver.kerberos.principal and
phoenix.queryserver.kerberos.keytab property
entries only if you will be configuring Kerberos authentication for a
Phoenix Query Server.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
There are no default values for the property settings. The entries in the "Sample Setting" column are only examples. |
Table 2.16. hbase-site.xml Property Settings for HBase Server and Phoenix Query Server
|
Property Name |
Sample Setting |
Description |
|---|---|---|
|
hbase.master.keytab.file |
/etc/security/keytabs/hbase.service.keytab |
The keytab for the HMaster service principal. |
|
hbase.master.kerberos.principal |
hbase/_HOST@EXAMPLE.COM |
The Kerberos principal name that should be used to run the HMaster process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. |
|
hbase.regionserver.keytab.file |
/etc/security/keytabs/hbase.service.keytab |
The keytab for the HRegionServer service principal. |
|
hbase.regionserver.kerberos.principal |
hbase/_HOST@EXAMPLE.COM |
The Kerberos principal name that should be used to run the HRegionServer process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. |
|
hbase.superuser |
hbase |
A comma-separated list of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled. |
|
hbase.coprocessor.region.classes |
Setting 1:org.apache.hadoop.hbase. security.token.TokenProvider, Setting 2:org.apache.hadoop.hbase. security.access.SecureBulkLoadEndpoint, Setting 3:org.apache.hadoop.hbase. security.access.AccessController |
A comma-separated list of coprocessors that are loaded by default on all tables. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own coprocessor, add the class to HBase's classpath and add the fully qualified class name here. Coprocessors can also be loaded programmatically using HTableDescriptor. |
|
hbase.coprocessor.master.classes | org.apache.hadoop.hbase.security. access.AccessController |
A comma-separated list of MasterObserver coprocessors that are loaded by the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, add the class to HBase's classpath and add the fully qualified class name here. |
| hbase.coprocessor.regionserver.classes | org.apache.hadoop.hbase.security. access.AccessController | A comma-separated list of RegionServerObserver coprocessors that are loaded by the HRegionServer processes. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own RegionServerObserver, add the class to the HBase classpath and fully qualified class name here. |
| phoenix.queryserver.kerberos.principal | HTTP/_HOST@EXAMPLE.COM | The Kerberos principal for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed. |
| phoenix.queryserver.kerberos.keytab | /etc/security/keytabs/spnego.service.keytab | The path to the Kerberos keytab file for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed. |
![[Tip]](../common/images/admon/tip.png) | Tip |
|---|---|
Phoenix Query Server users: See Configuring Phoenix Query Server for the required setting
in the |
The following lists the XML for the hbase-site.xml file entries:
<property>
<name>hbase.master.keytab.file</name>
<value>/etc/security/keytabs/hbase.service.keytab</value>
<description>Full path to the Kerberos keytab file to use for logging
in the configured HMaster server principal.
</description>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hm/_HOST@EXAMPLE.COM</value>
<description>Ex. "hbase/_HOST@EXAMPLE.COM".
The Kerberos principal name that should be used to run the HMaster
process. The principal name should be in the form: user/hostname@DOMAIN.
If "_HOST" is used as the hostname portion, it will be replaced with
the actual hostname of the running instance.
</description>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/etc/security/keytabs/hbase.service.keytab</value>
<description>Full path to the kerberos keytab file to use for logging
in the configured HRegionServer server principal.
</description>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hbase/_HOST@EXAMPLE.COM</value>
<description>Ex. "hbase/_HOST@EXAMPLE.COM".
The kerberos principal name that
should be used to run the HRegionServer process. The
principal name should be in the form:
user/hostname@DOMAIN. If _HOST
is used as the hostname portion, it will be replaced
with the actual hostname of the running
instance. An entry for this principal must exist
in the file specified in hbase.regionserver.keytab.file
</description>
</property>
<!--Additional configuration specific to HBase security -->
<property>
<name>hbase.superuser</name>
<value>hbase</value>
<description>List of users or groups (comma-separated), who are
allowed full privileges, regardless of stored ACLs, across the cluster.
Only used when HBase security is enabled.
</description>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
org.apache.hadoop.hbase.security.access.AccessController</value>
<description>A comma-separated list of coprocessors that are loaded
by default on all tables. For any override coprocessor method,
these classes will be called in order. After implementing your
own coprocessor, just put it in HBase's classpath and add the
fully qualified class name here. A coprocessor can also be loaded on
demand by setting HTableDescriptor.
</description>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
<description>A comma-separated list of MasterObserver coprocessors that
are loaded by the active HMaster process. For any implemented coprocessor
methods, the listed classes will be called in order. After implementing your
own MasterObserver, add the class to HBase's classpath and add the fully
qualified class name here.
</description>
</property>
<property>
<name>hbase.coprocessor.regionserver.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
<description>A comma-separated list of RegionServerObserver coprocessors
that are loaded by the HRegionServer processes. For any implemented
coprocessor methods, the listed classes will be called in order. After
implementing your own RegionServerObserver, add the class to the HBase
classpath and fully qualified class name here.
</description>
</property>
<property>
<name>phoenix.queryserver.kerberos.principal</name>
<value>HTTP/_HOST@EXAMPLE.COM</value>
<description>The Kerberos principal for the Phoenix Query Server
process. The Phoenix Query Server is an optional component; this
property only needs to be set when the query server is installed.
</description>
</property>
<property>
<name>phoenix.queryserver.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
<description>The path to the Kerberos keytab file for the
Phoenix Query Server process. The Phoenix Query Server is an optional
component; this property only needs to be set when the query server
is installed.</description>
</property>