Setting Up HBase Replication Among Kerberos Secured Clusters
HBase replication supports Kerberos, if you want to ensure secure communication between two clusters.
Prerequisite
You have configured HBase replication in two separate clusters.
Prior to configuring secure HBase, you must configure cross realm authentication for Kerberos, ZooKeeper, and Apache Hadoop.
Create krbtgt principals for the two realms.
For example, if you have two realms called HDP1.COM and HDP2.COM, the realms must share a key. In this case, you add the following principles in both the realms:
krbtgt/HDP1.COM@HDP2.COM and krbtgt/HDP2.COM@HDP1.COM
There must be at least one common encryption mode between these two realms:
HDP1 Cluster kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM
HDP2 Cluster kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM
Note To ensure, there is at least one common encryption mode between the realms, you can use the -e option in addprinc to specify the list of encryption types. Refer to the “Supported Encryption Types” in mit kerberos manual in your deployment to view all possible options.
kadmin.local:addprinc -e "<enc_type_list >" krbtgt/HDP1.COM@HDP2.COM
Add rules in the slave ZooKeeper to create short names based on the incoming principal.
To do this, add a system level property in java.env, as defined in the conf directory.
On the HDP1 cluster, add support for the realm called HDP2.COM, and have two members in the principal (such as service/instance@HDP2.com):
-Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT
On the HDP2 cluster, add support for the realm called HDP1.COM, and have two members in the principal (such as service/instance@HDP1.com):
-Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT
The DEFAULT value defines the default rule.
Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the replica cluster.
On the HDP1 cluster, add the following:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT </value>
On the HDP2 cluster, add the following:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT </value>
Follow the instructions in Managing and Configuring HBase Cluster Replication section to complete the replication process.