Security Reference
Also available as:
PDF
loading table of contents...

Create JAAS configuration files

How to create JAAS configuration files when setting up Kerberos for non-Ambari clusters.

  1. Create the following JAAS configuration files on the HBase Master, RegionServer, and HBase client host machines.
    These files must be created under the $HBASE_CONF_DIR directory, where $HBASE_CONF_DIR is the directory to store the HBase configuration files. For example, /etc/hbase/conf.
    1. On each machine running an HBase server, create the hbase-server.jaas file under the /etc/hbase/conf directory. HBase servers include the HMaster and RegionServer. In this file, add the following content:
    Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="/etc/security/keytabs/hbase.service.keytab"
    principal="hbase/$fully.qualified.domain.name";
    };
    1. On HBase client machines, create the hbase-client.jaas file under the /etc/hbase/conf directory and add the following content:
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=false
      useTicketCache=true;
      };
  2. Create the following JAAS configuration files on the ZooKeeper Server and client host machines.
    These files must be created under the $ZOOKEEPER_CONF_DIR directory, where $ZOOKEEPER_CONF_DIR is the directory to store the HBase configuration files. For example, /etc/zookeeper/conf:
    1. On ZooKeeper server host machines, create the zookeeper-server.jaas file under the /etc/zookeeper/conf directory and add the following content:
      Server {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      storeKey=true
      useTicketCache=false
      keyTab="/etc/security/keytabs/zookeeper.service.keytab"
      principal="zookeeper/$ZooKeeper.Server.hostname";
      };
    2. On ZooKeeper client host machines, create the zookeeper-client.jaas file under the /etc/zookeeper/conf directory and add the following content:
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=false
      useTicketCache=true;
      };
  3. Edit the hbase-env.sh file on your HBase server to add the following information:
    Where HBASE_CONF_DIR is the HBase configuration directory. For example, /etc/hbase/conf.
    export HBASE_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-client.jaas"
    export HBASE_MASTER_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-server.jaas"
    export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-server.jaas"
  4. Edit zoo.cfg file on your ZooKeeper server to add the following information:
    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    jaasLoginRenew=3600000
    kerberos.removeHostFromPrincipal=true
    kerberos.removeRealmFromPrincipal=true
  5. Edit zookeeper-env.sh file on your ZooKeeper server to add the following information:
    Where $ZOOKEEPER_CONF_DIR is the ZooKeeper configuration directory. For example, /etc/zookeeper/conf.
    export SERVER_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-server.jaas"
    export CLIENT_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-client.jaas"