Managing Apache HBase SecurityPDF version

Disabling Kerberos authentication for HBase clients

Client applications that run on legacy products and do not have Kerberos enabled, fail to connect to Cloudera Operational Database instances that have Kerberos enabled. You can disable Kerberos authentication in your Cloudera Operational Database instances so that HBase or Phoenix clients can connect seamlessly.

You can also disable the Kerberos authentication using Cloudera Operational Database CLI while creating an operational database.

You can use the --disable-kerberos option while running the create-database command to disable the Kerberos authentication.

cdp opdb create-database --environment-name ENVIRONMENT_NAME --database-name DATABASE_NAME --disable-kerberos

For example,
cdp opdb create-database --environment-name cdp_7215 --database-name cod1 --disable-kerberos
  1. In Cloudera Manager, go to the HBase service.
  2. In the Configuration tab, set hbase.security.authentication=simple under HBase Secure Authentication and hbase.thrift.security.qop=none under HBase Thrift Authentication.
    Figure 1. HBase security authentication


    Figure 2. HBase thrift authentication


  3. In the Ranger web UI, add the phoenix user. This resolves the impersonation issue.
    1. On the Data lake page, select the Ranger service.
    2. On the Ranger Service Manager web UI, find and select the HBase policy for your Cloudera Operational Database instance.
      Figure 3. Ranger service manager


    3. Click on the edit button in the Action column to edit the all - table, column-family, column policy.
      Figure 4. Ranger service manager policy


    4. In the Ranger service manager edit policy page, add the phoenix user and save the modified policy.
      Figure 5. Add phoenix user


Kerberos authentication is disabled in your Cloudera Operational Database instance and legacy HBase or Phoenix clients without having Kerberos enabled, can connect to your Cloudera Operational Database instance.