Security
Also available as:
PDF
loading table of contents...
hbase-site.xml

For HBase to run on a secured cluster, HBase must be able to authenticate itself to HDFS. Add the following information to the hbase-site.xml file on your HBase server. However, include the phoenix.queryserver.kerberos.principal and phoenix.queryserver.kerberos.keytab property entries only if you will be configuring Kerberos authentication for a Phoenix Query Server.

[Note]Note

There are no default values for the property settings. The entries in the "Sample Setting" column are only examples.

Table 2.16. hbase-site.xml Property Settings for HBase Server and Phoenix Query Server

Property Name

Sample Setting

Description

hbase.master.keytab.file

/etc/security/keytabs/hbase.service.keytab

The keytab for the HMaster service principal.

hbase.master.kerberos.principal

hbase/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HMaster process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.regionserver.keytab.file

/etc/security/keytabs/hbase.service.keytab

The keytab for the HRegionServer service principal.

hbase.regionserver.kerberos.principal

hbase/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HRegionServer process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.superuser

hbase

A comma-separated list of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled.

hbase.coprocessor.region.classes

Setting 1:org.apache.hadoop.hbase.

security.token.TokenProvider,

Setting 2:org.apache.hadoop.hbase.

security.access.SecureBulkLoadEndpoint,

Setting 3:org.apache.hadoop.hbase.

security.access.AccessController

A comma-separated list of coprocessors that are loaded by default on all tables. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own coprocessor, add the class to HBase's classpath and add the fully qualified class name here. Coprocessors can also be loaded programmatically using HTableDescriptor.

hbase.coprocessor.master.classes

org.apache.hadoop.hbase.security.

access.AccessController

A comma-separated list of MasterObserver coprocessors that are loaded by the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, add the class to HBase's classpath and add the fully qualified class name here.

hbase.coprocessor.regionserver.classes

org.apache.hadoop.hbase.security.

access.AccessController

A comma-separated list of RegionServerObserver coprocessors that are loaded by the HRegionServer processes. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own RegionServerObserver, add the class to the HBase classpath and fully qualified class name here.
phoenix.queryserver.kerberos.principalHTTP/_HOST@EXAMPLE.COMThe Kerberos principal for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed.
phoenix.queryserver.kerberos.keytab/etc/security/keytabs/spnego.service.keytabThe path to the Kerberos keytab file for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed.

[Tip]Tip

Phoenix Query Server users: See Configuring Phoenix Query Server for the required setting in the core-site.xml file to complete Kerberos setup of the query server.

The following lists the XML for the hbase-site.xml file entries:

<property> 
     <name>hbase.master.keytab.file</name> 
     <value>/etc/security/keytabs/hbase.service.keytab</value> 
     <description>Full path to the Kerberos keytab file to use for logging
     in the configured HMaster server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.master.kerberos.principal</name> 
     <value>hm/_HOST@EXAMPLE.COM</value> 
      <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The Kerberos principal name that should be used to run the HMaster 
     process. The principal name should be in the form: user/hostname@DOMAIN. 
     If "_HOST" is used as the hostname portion, it will be replaced with
     the actual hostname of the running instance.
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.keytab.file</name> 
     <value>/etc/security/keytabs/hbase.service.keytab</value> 
     <description>Full path to the kerberos keytab file to use for logging
     in the configured HRegionServer server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.kerberos.principal</name> 
     <value>hbase/_HOST@EXAMPLE.COM</value> 
     <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The kerberos principal name that
     should be used to run the HRegionServer process. The
     principal name should be in the form: 
     user/hostname@DOMAIN. If _HOST
     is used as the hostname portion, it will be replaced 
     with the actual hostname of the running
     instance. An entry for this principal must exist
     in the file specified in hbase.regionserver.keytab.file 
     </description> 
</property> 
 
<!--Additional configuration specific to HBase security -->
 
<property> 
     <name>hbase.superuser</name> 
     <value>hbase</value> 
     <description>List of users or groups (comma-separated), who are
     allowed full privileges, regardless of stored ACLs, across the cluster.
     Only used when HBase security is enabled. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.region.classes</name> 
     <value>org.apache.hadoop.hbase.security.token.TokenProvider,
     org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
     org.apache.hadoop.hbase.security.access.AccessController</value> 
     <description>A comma-separated list of coprocessors that are loaded
     by default on all tables. For any override coprocessor method, 
     these classes will be called in order. After implementing your 
     own coprocessor, just put it in HBase's classpath and add the 
     fully qualified class name here. A coprocessor can also be loaded on 
     demand by setting HTableDescriptor. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.master.classes</name> 
     <value>org.apache.hadoop.hbase.security.access.AccessController</value> 
     <description>A comma-separated list of MasterObserver coprocessors that
     are loaded by the active HMaster process. For any implemented coprocessor
     methods, the listed classes will be called in order. After implementing your
     own MasterObserver, add the class to HBase's classpath and add the fully
     qualified class name here.  
     </description> 
</property>

<property>
    <name>hbase.coprocessor.regionserver.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    <description>A comma-separated list of RegionServerObserver coprocessors
    that are loaded by the HRegionServer processes. For any implemented 
    coprocessor methods, the listed classes will be called in order. After 
    implementing your own RegionServerObserver, add the class to the HBase 
    classpath and fully qualified class name here.
    </description>
</property>               
<property>
    <name>phoenix.queryserver.kerberos.principal</name>
    <value>HTTP/_HOST@EXAMPLE.COM</value>
    <description>The Kerberos principal for the Phoenix Query Server 
    process. The Phoenix Query Server is an optional component; this 
    property only needs to be set when the query server is installed.
    </description>
</property>

<property>
    <name>phoenix.queryserver.kerberos.keytab</name>
    <value>/etc/security/keytabs/spnego.service.keytab</value>
    <description>The path to the Kerberos keytab file for the 
    Phoenix Query Server process. The Phoenix Query Server is an optional 
    component; this property only needs to be set when the query server 
    is installed.</description>
</property>