Configuring Phoenix Query Server
The HBase configuration provides most of the settings that enable secure Kerberos environments for Phoenix. However, there are additional configuration properties that complete the setup of Kerberos security for the Phoenix Query Server.
Prerequisite: The value of the
hbase.security.authentication
property in the
$HBASE_CONF_DIR
/hbase-site.xml
file
must be set to kerberos
.
Provide the Kerberos principal and keytab for the Phoenix Query Server in the
$HBASE_CONF_DIR
/hbase-site.xml
file.<property> <name>phoenix.queryserver.kerberos.principal</name> <value>HTTP/_HOST@EXAMPLE.COM</value> <description>The Kerberos principal name that should be used to run the Phoenix Query Server process. The principal name should be in the form: user/hostname@DOMAIN. If "_HOST" is used as the hostname portion, it will be replaced with the actual hostname of the running instance. </description> </property> <property> <name>phoenix.queryserver.kerberos.keytab</name> <value>/etc/security/keytabs/spnego.service.keytab</value> <description>Full path to the Kerberos keytab file to use for logging in the configured Phoenix Query Server service principal. </description> </property>
Add the fully-qualified domain name for each host running the Phoenix Query Server to the list of hosts that can impersonate end users in the
$HADOOP_CONF_DIR
/core-site.xml
file. Alternatively, insert an asterisk (*) instead of host names if you want to allow all hosts to impersonate end users.<property> <name>hadoop.proxyuser.HTTP.hosts</name> <value>server1.domain.com,server2.domain.com</value> <description>A comma-separated list of fully-qualified domain names of hosts running services with the Hadoop user "HTTP" that can impersonate end users. Alternatively, insert an asterisk (*) instead of listing host names if you want to allow all hosts to impersonate end users.</description> </property>