Security
Also available as:
PDF
loading table of contents...

Configuring Phoenix Query Server

The HBase configuration provides most of the settings that enable secure Kerberos environments for Phoenix. However, there are additional configuration properties that complete the setup of Kerberos security for the Phoenix Query Server.

Prerequisite: The value of the hbase.security.authentication property in the $HBASE_CONF_DIR/hbase-site.xmlfile must be set to kerberos.

  1. Provide the Kerberos principal and keytab for the Phoenix Query Server in the $HBASE_CONF_DIR/hbase-site.xml file.

    <property>
        <name>phoenix.queryserver.kerberos.principal</name>
        <value>HTTP/_HOST@EXAMPLE.COM</value>
        <description>The Kerberos principal name that should be used to run the Phoenix Query Server process.
        The principal name should be in the form: user/hostname@DOMAIN.  If "_HOST" is used as the hostname
        portion, it will be replaced with the actual hostname of the running instance.
        </description>
    </property>
    
    <property>
        <name>phoenix.queryserver.kerberos.keytab</name>
        <value>/etc/security/keytabs/spnego.service.keytab</value>
        <description>Full path to the Kerberos keytab file to use for logging
        in the configured Phoenix Query Server service principal.
        </description>
    </property>
    
  2. Add the fully-qualified domain name for each host running the Phoenix Query Server to the list of hosts that can impersonate end users in the $HADOOP_CONF_DIR/core-site.xml file. Alternatively, insert an asterisk (*) instead of host names if you want to allow all hosts to impersonate end users.

    <property>
        <name>hadoop.proxyuser.HTTP.hosts</name>
        <value>server1.domain.com,server2.domain.com</value>
        <description>A comma-separated list of fully-qualified
        domain names of hosts running services with the Hadoop
        user "HTTP" that can impersonate end users.
        Alternatively, insert an asterisk (*) instead of
        listing host names if you want to allow all hosts to
        impersonate end users.</description>
    </property>
    <property>
        <name>hadoop.proxyuser.HTTP.users</name>
        <value>user1,user2</value>
        <description>A comma-separated list of groups that
        user "HTTP" can impersonate end users.
        Alternatively, insert an asterisk (*) instead of
        listing group names if you want to allow all users to
        impersonate end users.</description>
    </property>
    <property>
        <name>hadoop.proxyuser.HTTP.users</name>
        <value>user1,user2</value>
        <description>A comma-separated list of users that
        user "HTTP" can impersonate end users.
        Alternatively, insert an asterisk (*) instead of
        listing group names if you want to allow all users to
        impersonate end users.</description>
    </property>