Setting Up HBase Replication Among Kerberos Secured Clusters
HBase replication supports Kerberos, if you want to ensure secure communication between two clusters.
Prerequisite
You have configured HBase replication in two separate clusters.
Prior to configuring secure HBase, you must configure cross realm authentication for Kerberos, ZooKeeper, and Apache Hadoop.
-
Create krbtgt principals for the two realms.
For example, if you have two realms called HDP1.COM and HDP2.COM, the realms must share a key. In this case, you add the following principles in both the realms:
krbtgt/HDP1.COM@HDP2.COM and krbtgt/HDP2.COM@HDP1.COM
There must be at least one common encryption mode between these two realms:
HDP1 Cluster kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM
HDP2 Cluster kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM
NoteTo ensure, there is at least one common encryption mode between the realms, you can use the -e option in addprinc to specify the list of encryption types. Refer to the “Supported Encryption Types” in mit kerberos manual in your deployment to view all possible options.
kadmin.local:addprinc -e "<enc_type_list >" krbtgt/HDP1.COM@HDP2.COM
-
Add rules in the slave ZooKeeper to create short names based on the incoming
principal.
To do this, add a system level property in java.env, as defined in the conf directory.
-
On the HDP1 cluster, add support for the realm called HDP2.COM, and have two
members in the principal (such as service/instance@HDP2.com):
-Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT
-
On the HDP2 cluster, add support for the realm called HDP1.COM, and have two
members in the principal (such as service/instance@HDP1.com):
-Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT
The DEFAULT value defines the default rule.
-
On the HDP1 cluster, add support for the realm called HDP2.COM, and have two
members in the principal (such as service/instance@HDP2.com):
-
Add rules for creating short names in the Hadoop processes. To do this, add the
hadoop.security.auth_to_local property in the core-site.xml file in the replica
cluster.
-
On the HDP1 cluster, add the following:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT </value>
-
On the HDP2 cluster, add the following:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT </value>
-
On the HDP1 cluster, add the following:
-
Manage and configure HBase cluster replication to complete the replication process.
NoteHBase replication from non-Kerberized cluster to Kerberized cluster is currently not supported.