How to configure Phoenix Query Server when setting up Kerberos for non-Ambari
clusters.
The HBase configuration provides most of the settings that
enable secure Kerberos environments for Phoenix. However, there are additional
configuration properties that complete the setup of Kerberos security for the Phoenix
Query Server.
The value of the
hbase.security.authentication property in the
$HBASE_CONF_DIR/hbase-site.xmlfile must
be set to kerberos
.
-
Provide the Kerberos principal and keytab for the Phoenix Query Server in the
$HBASE_CONF_DIR/hbase-site.xml
file.
<property>
<name>phoenix.queryserver.kerberos.principal</name>
<value>HTTP/_HOST@EXAMPLE.COM</value>
<description>The Kerberos principal name that should be used to run the Phoenix Query Server process.
The principal name should be in the form: user/hostname@DOMAIN. If "_HOST" is used as the hostname
portion, it will be replaced with the actual hostname of the running instance.
</description>
</property>
<property>
<name>phoenix.queryserver.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
<description>Full path to the Kerberos keytab file to use for logging
in the configured Phoenix Query Server service principal.
</description>
</property>
-
Add the fully-qualified domain name for each host running the Phoenix Query
Server to the list of hosts that can impersonate end users in the
$HADOOP_CONF_DIR/core-site.xml
file. Alternatively, insert an asterisk (*) instead of host names if you want to
allow all hosts to impersonate end users.
<property>
<name>hadoop.proxyuser.HTTP.hosts</name>
<value>server1.domain.com,server2.domain.com</value>
<description>A comma-separated list of fully-qualified
domain names of hosts running services with the Hadoop
user "HTTP" that can impersonate end users.
Alternatively, insert an asterisk (*) instead of
listing host names if you want to allow all hosts to
impersonate end users.</description>
</property>
<property>
<name>hadoop.proxyuser.HTTP.users</name>
<value>user1,user2</value>
<description>A comma-separated list of groups that
user "HTTP" can impersonate end users.
Alternatively, insert an asterisk (*) instead of
listing group names if you want to allow all users to
impersonate end users.</description>
</property>
<property>
<name>hadoop.proxyuser.HTTP.users</name>
<value>user1,user2</value>
<description>A comma-separated list of users that
user "HTTP" can impersonate end users.
Alternatively, insert an asterisk (*) instead of
listing group names if you want to allow all users to
impersonate end users.</description>
</property>