Security Reference
Also available as:
loading table of contents...

Configure Secure Client-Side Access for HBase

How to configure secure client-side access for HBase when setting up Kerberos for non-Ambari clusters.

HBase configured for secure client access is expected to be running on top of a secure HDFS cluster. HBase must be able to authenticate to HDFS services.
  1. Provide a Kerberos principal to the HBase client user using the instructions provided in ​“Creating Service Principals and Keytab Files for HDP”.
    Provide Kerberos principal to normal HBase clients.

    For normal HBase clients, Hortonworks recommends setting up a password to the principal.

    Set maxrenewlife.

    The client principal's maxrenewlife should be set high enough so that it allows enough time for the HBase client process to complete. Client principals are not renewed automatically.

    For example, if a user runs a long-running HBase client process that takes at most three days, we might create this user's principal within kadmin with the following command:

    addprinc -maxrenewlife 3days
    Provide Kerberos principal to long running HBase clients.

    Set-up a keytab file for the principal and copy the resulting keytab files to where the client daemon will execute.

    Ensure that you make this file readable only to the user account under which the daemon will run.

  2. On every HBase client, add the following properties to the $HBASE_CONF_DIR/hbase-site.xml file:

    The client environment must be logged in to Kerberos from KDC or keytab via the kinit command before communication with the HBase cluster is possible. Note that the client will not be able to communicate with the cluster if the property in the client- and server-side site files fails to match.