Hortonworks Docs » Hortonworks Data Platform 3.1.4 » Security Reference
Security Reference
Also available as:
PDF
loading table of contents...

Create JAAS configuration files

How to create JAAS configuration files when setting up Kerberos for non-Ambari clusters.

  1. Create the following JAAS configuration files on the HBase Master, RegionServer, and HBase client host machines.
    These files must be created under the $HBASE_CONF_DIR directory, where $HBASE_CONF_DIR is the directory to store the HBase configuration files. For example, /etc/hbase/conf.
    1. On each machine running an HBase server, create the hbase-server.jaas file under the /etc/hbase/conf directory. HBase servers include the HMaster and RegionServer. In this file, add the following content: 
    Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/hbase.service.keytab"
principal="hbase/$fully.qualified.domain.name";
};
    1. On HBase client machines, create the hbase-client.jaas file under the /etc/hbase/conf directory and add the following content: 
      Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};
  2. Create the following JAAS configuration files on the ZooKeeper Server and client host machines.
    These files must be created under the $ZOOKEEPER_CONF_DIR directory, where $ZOOKEEPER_CONF_DIR is the directory to store the HBase configuration files. For example, /etc/zookeeper/conf:
    1. On ZooKeeper server host machines, create the zookeeper-server.jaas file under the /etc/zookeeper/conf directory and add the following content: 
      Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/zookeeper.service.keytab"
principal="zookeeper/$ZooKeeper.Server.hostname";
};
    2. On ZooKeeper client host machines, create the zookeeper-client.jaas file under the /etc/zookeeper/conf directory and add the following content: 
      Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};
  3. Edit the hbase-env.sh file on your HBase server to add the following information:
    Where HBASE_CONF_DIR is the HBase configuration directory. For example, /etc/hbase/conf.
    export HBASE_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-client.jaas"
export HBASE_MASTER_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-server.jaas"
export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-server.jaas"
  4. Edit zoo.cfg file on your ZooKeeper server to add the following information: 
    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
  5. Edit zookeeper-env.sh file on your ZooKeeper server to add the following information:
    Where $ZOOKEEPER_CONF_DIR is the ZooKeeper configuration directory. For example, /etc/zookeeper/conf.
    export SERVER_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-server.jaas"
export CLIENT_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-client.jaas"
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community