hbase-site.xml
For HBase to run on a secured cluster, HBase must be able to authenticate
itself to HDFS. Add the following information to the
hbase-site.xml
file on your HBase server. However,
include the phoenix.queryserver.kerberos.principal and
phoenix.queryserver.kerberos.keytab property
entries only if you will be configuring Kerberos authentication for a
Phoenix Query Server.
Note | |
---|---|
There are no default values for the property settings. The entries in the "Sample Setting" column are only examples. |
Table 2.16. hbase-site.xml
Property Settings for HBase Server and Phoenix Query Server
Property Name |
Sample Setting |
Description |
---|---|---|
hbase.master.keytab.file |
/etc/security/keytabs/hbase.service.keytab |
The keytab for the HMaster service principal. |
hbase.master.kerberos.principal |
hbase/_HOST@EXAMPLE.COM |
The Kerberos principal name that should be used to run the HMaster process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. |
hbase.regionserver.keytab.file |
/etc/security/keytabs/hbase.service.keytab |
The keytab for the HRegionServer service principal. |
hbase.regionserver.kerberos.principal |
hbase/_HOST@EXAMPLE.COM |
The Kerberos principal name that should be used to run the HRegionServer process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. |
hbase.superuser |
hbase |
A comma-separated list of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled. |
hbase.coprocessor.region.classes |
Setting 1:org.apache.hadoop.hbase. security.token.TokenProvider, Setting 2:org.apache.hadoop.hbase. security.access.SecureBulkLoadEndpoint, Setting 3:org.apache.hadoop.hbase. security.access.AccessController |
A comma-separated list of coprocessors that are loaded by default on all tables. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own coprocessor, add the class to HBase's classpath and add the fully qualified class name here. Coprocessors can also be loaded programmatically using HTableDescriptor. |
hbase.coprocessor.master.classes | org.apache.hadoop.hbase.security. access.AccessController |
A comma-separated list of MasterObserver coprocessors that are loaded by the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, add the class to HBase's classpath and add the fully qualified class name here. |
hbase.coprocessor.regionserver.classes | org.apache.hadoop.hbase.security. access.AccessController | A comma-separated list of RegionServerObserver coprocessors that are loaded by the HRegionServer processes. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own RegionServerObserver, add the class to the HBase classpath and fully qualified class name here. |
phoenix.queryserver.kerberos.principal | HTTP/_HOST@EXAMPLE.COM | The Kerberos principal for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed. |
phoenix.queryserver.kerberos.keytab | /etc/security/keytabs/spnego.service.keytab | The path to the Kerberos keytab file for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed. |
Tip | |
---|---|
Phoenix Query Server users: See Configuring Phoenix Query Server for the required setting
in the |
The following lists the XML for the hbase-site.xml
file entries:
<property> <name>hbase.master.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> <description>Full path to the Kerberos keytab file to use for logging in the configured HMaster server principal. </description> </property> <property> <name>hbase.master.kerberos.principal</name> <value>hm/_HOST@EXAMPLE.COM</value> <description>Ex. "hbase/_HOST@EXAMPLE.COM". The Kerberos principal name that should be used to run the HMaster process. The principal name should be in the form: user/hostname@DOMAIN. If "_HOST" is used as the hostname portion, it will be replaced with the actual hostname of the running instance. </description> </property> <property> <name>hbase.regionserver.keytab.file</name> <value>/etc/security/keytabs/hbase.service.keytab</value> <description>Full path to the kerberos keytab file to use for logging in the configured HRegionServer server principal. </description> </property> <property> <name>hbase.regionserver.kerberos.principal</name> <value>hbase/_HOST@EXAMPLE.COM</value> <description>Ex. "hbase/_HOST@EXAMPLE.COM". The kerberos principal name that should be used to run the HRegionServer process. The principal name should be in the form: user/hostname@DOMAIN. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance. An entry for this principal must exist in the file specified in hbase.regionserver.keytab.file </description> </property> <!--Additional configuration specific to HBase security --> <property> <name>hbase.superuser</name> <value>hbase</value> <description>List of users or groups (comma-separated), who are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled. </description> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider, org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint, org.apache.hadoop.hbase.security.access.AccessController</value> <description>A comma-separated list of coprocessors that are loaded by default on all tables. For any override coprocessor method, these classes will be called in order. After implementing your own coprocessor, just put it in HBase's classpath and add the fully qualified class name here. A coprocessor can also be loaded on demand by setting HTableDescriptor. </description> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> <description>A comma-separated list of MasterObserver coprocessors that are loaded by the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, add the class to HBase's classpath and add the fully qualified class name here. </description> </property> <property> <name>hbase.coprocessor.regionserver.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> <description>A comma-separated list of RegionServerObserver coprocessors that are loaded by the HRegionServer processes. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own RegionServerObserver, add the class to the HBase classpath and fully qualified class name here. </description> </property> <property> <name>phoenix.queryserver.kerberos.principal</name> <value>HTTP/_HOST@EXAMPLE.COM</value> <description>The Kerberos principal for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed. </description> </property> <property> <name>phoenix.queryserver.kerberos.keytab</name> <value>/etc/security/keytabs/spnego.service.keytab</value> <description>The path to the Kerberos keytab file for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed.</description> </property>