This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

HBase Security Configuration

There are two major parts in the process of configuring HBase security:

  1. Configure HBase Authentication: You must establish a mechanism for HBase servers and clients to securely identify themselves with HDFS, ZooKeeper, and each other (called authentication). This ensures that, for example, a host claiming to be an HBase Region Server or a particular HBase client are in fact who they claim to be.
  2. Configure HBase Authorization: You must establish rules for the resources that clients are allowed to access (called authorization).

For more background information, see this blog post.

The following sections describe how to use Apache HBase and CDH 5 with Kerberos security on your Hadoop cluster:

To enable HBase to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Configuring Hadoop Security in CDH 5 and ZooKeeper Security Configuration.


These instructions have been tested with CDH and MIT Kerberos 5 only.


Although an HBase Thrift server can connect to a secured Hadoop cluster, access is not secured from clients to the HBase Thrift server.

Page generated September 3, 2015.