Configuring custom Kerberos principal for HBase
The Kerberos principal for HBase is configured by default to use the same service principal as the default process user. However, you can change the default setting by providing a custom Kerberos principal in Cloudera Manager.
After changing the Kerberos Principal to the required value in Cloudera Manager, you
have to change the owner of the HBase folders in HDFS to the new custom Kerberos
principal name. Then, the ACLs for the ZNodes that are managed by HBase have to be
changed in ZooKeeper.
Perform the steps given below to configure a custom Kerberos principal for HBase.
-
Stop the HBase service and set the custom Kerberos principal in Cloudera
Manager:
- Log in to Cloudera Manager as an Administrator.
- In Cloudera Manager, click Clusters > HBase.
- Click Actions > Stop to stop the Hbase service.
- Go to the Configuration tab.
- Search for the Kerberos Principal by entering "kerberos" in the search field.
- For Kerberos Principal, enter the required custom principal value.
- Click Save Changes.
-
Change the owner of the HBase HDFS directories:
To change the owner of the HBase folders in HDFS to the new custom Kerberos principal name, use the chown command as an HDFS superuser.
hdfs dfs -chown -R newhbaseprincipal:newhbaseprincipal /hbase
If Ranger is used, use the chown command as an HDFS superuser to change the owner of the Ranger HBase log directory in HDFS.hdfs dfs -chown -R newhbaseprincipal:newhbaseprincipal /ranger/audit/hbase
-
Change the HBase principals configured in Ranger.
If Ranger is used, log in to the Ranger web UI and perform the following steps:
- In the Service Manager page, click the Edit icon of the HBase service to open the Edit Service page, and replace the original principal with the custom principal in all the fields in which the original principal is used.
- In the Service Manager page, under HBASE, click the cm_hbase link to navigate to the configuration page for cm_hbase policies, and replace the original HBase principal in each policy with the custom principal.
-
Change the ACLs in ZooKeeper for the /hbase node.
To change the ACLs in ZooKeeper, use either one of the following two options:Option 1 - Changing the ACLs:
- Log in to the ZooKeeper CLI as the old HBase Kerberos principal that is currently owning the HBase ZNodes. See Configure ZooKeeper client shell for Kerberos authentication for information on configuring authentication for zkClient.sh.
-
The ZNodes that are managed by HBase are under the
/hbase ZNode. For each ZNode (including the
root ZNode, for example, "/hbase"), list the ACLs by using the
getAcl command and then change the
ACLs by using the setAcl command to use the
new principal.
Configuration example of ZNodes that can be accessed only by HBase:
getAcl /hbase/tokenauth/keys 'sasl,'hbase : cdrwa setAcl /hbase/tokenauth/keys sasl:newhbaseprincipal:cdrwa
Configuration example of ZNodes that can be read by any user but can be changed only by HBase:getAcl /hbase 'sasl,'hbase : cdrwa 'world,'anyone : r setAcl /hbase sasl:newhbaseprincipal:cdrwa,world:anyone:r
Option 2 - Deleting and recreating all HBase ZNodes:- Stop the HBase service.
- Log in to the ZooKeeper CLI as a super user or as the old HBase Kerberos principal that is currently owning the HBase ZNodes.
- Delete all HBase ZNodes, including the root ZNode for HBase (/hbase, by default) by using the deleteall /hbase command.
-
Restart the HBase service, and any stale services.
After performing the steps given above, click Actions > Start to restart the HBase service from Cloudera Manager, restart any stale services, and redeploy any stale configurations.