Configuring Authentication with Kerberos
Also available as:
PDF
loading table of contents...

Set up client account

Follow these steps to provision a kerberos account for the client and grant permissions to that account in HBase, so that you can create, read and write tables.

  1. Log in to KDC.
  2. Switch to root directory.
  3. Run kadmin.local:
    
    $ sudo kadmin.local
    kadmin.local: addprinc myself
    WARNING: no policy specified for myself@EXAMPLE.COM; defaulting to no policy
    Enter password for principal "myself@EXAMPLE.COM":
    Re-enter password for principal "myself@EXAMPLE.COM":
    Principal "myself@EXAMPLE.COM" created.
    kadmin.local:  xst -k /etc/security/keytabs/myself.keytab -norandkey myself
    Entry for principal myself with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab
    WRFILE:/etc/security/keytabs/myself.keytab.
    Entry for principal myself with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab
    WRFILE:/etc/security/keytabs/myself.keytab.
    
  4. Copy the keytab file to the conf directory.
  5. Grant permissions in HBase. For more information, See ​Configure HBase for Access Control Lists (ACL).
    klist -k /etc/security/keytabs/hbase.headless.keytab
    
     
    Optional step: You should secure the keytab file so that only the HBase process has access to the keytab. This can be accomplished by running a command.
    $>sudo chmod 700 /etc/security/keytabs/hbase.headless.keytab
     
    
    $ kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase
    $ hbase shell
    hbase(main):001:0> status
    1 active master, 0 backup masters, 4 servers, 1 dead, 1.2500 average load
  6. Authorize admin permissions to the user. You can also customize this to restrict this account for minimal access. For more information see, https://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html#d1984e4744
hbase(main):001:0> grant 'myself', 'C'