Configuring Lily HBase Indexer Security

Beginning with CDH 5.4 the Lily HBase Indexer includes an HTTP interface for the list-indexers, create-indexer, update-indexer, and delete-indexer commands. This interface can be secured with Kerberos for authentication and Apache Sentry for authorization.

Configuring Lily HBase Indexer Service to Use Kerberos Authentication

To configure the Lily HBase Indexer to use Kerberos authentication, you must create principals and keytabs and then modify certain configuration properties. If you are using Cloudera Manager to manage your cluster, much of this is handled automatically. For unmanaged environments, you must generate the Kerberos principals and keytabs manually.

For more an overview of Kerberos concepts (including principals and keytabs), see Kerberos Security Artifacts Overview.

To enable Kerberos authentication for the Lily HBase Indexer service:

  1. Go to Key-Value Store Indexer service > Configuration > Category > Security.
  2. Select the kerberos option for HBase Indexer Secure Authentication.
  3. Click Save Changes.
  4. Go to Administration > Security > Kerberos Credentials.
  5. Click Generate Missing Credentials.
  6. Restart the indexer service (Key-Value Store Indexer service > Actions > Restart).

Configuring the Lily HBase Indexer Service to Use the Sentry Service

The Lily HBase Indexer service uses Apache Sentry for authorization. To use Sentry for authorization, you must use the indexer HTTP interface.

If you are using policy files for Sentry, and want to switch to the Sentry service, see Migrating HBase Indexer Sentry Policy Files to the Sentry Service.

To configure the Lily HBase Indexer to use the Sentry Service:

  1. Go to Key-Value Store Indexer service > Configuration > Category > Policy File Based Sentry.
  2. Make sure that the box labeled Enable Sentry Authorization using Policy Files is unchecked.
  3. Click the Main category in the left pane.
  4. Select the Sentry Service for the cluster (SENTRY-1 by default).
  5. Click Save Changes.
  6. Restart stale services (Key-Value Store Indexer service > Actions > Restart).

Configuring the Lily HBase Indexer Service to Use Sentry Policy Files

The Lily HBase Indexer service uses Apache Sentry for authorization. To use Sentry for authorization, you must use the indexer HTTP interface.

Before CDH 5.14.0, Lily HBase Indexer supported only Sentry policy files. In CDH 5.14.0 and higher, it supports the Sentry service, and includes a command line utility (hbase-indexer-sentry) for configuring Sentry. Cloudera recommends using the Sentry Service. To migrate your policy files to the Sentry Service, see Migrating HBase Indexer Sentry Policy Files to the Sentry Service.

To configure Sentry policy files for the Lily HBase Indexer:

  1. Go to Key-Value Store Indexer service > Configuration > Category > Policy File Based Sentry.
  2. Check the box labeled Enable Sentry Authorization using Policy Files.
  3. If necessary, edit Sentry Global Policy File to change the HDFS location of the sentry-provider.ini file.
  4. Click Save Changes.
  5. Restart the service (Key-Value Store Indexer service > Actions > Restart).
  6. Upload the sentry-provider.ini file to the specified location in HDFS. For example:
    • Security Enabled:
      kinit hdfs@EXAMPLE.COM
      hdfs dfs -mkdir -p /user/hbaseindexer/sentry/
      hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/
      hdfs dfs -chown -R hbase:hbase /user/hbaseindexer
    • Security Disabled:
      sudo -u hdfs hdfs dfs -mkdir -p /user/hbaseindexer/sentry/
      sudo -u hdfs hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/
      sudo -u hdfs hdfs dfs -chown -R hbase:hbase /user/hbaseindexer

Managing Sentry Permissions for the Lily HBase Indexer

The Lily HBase Indexer privilege model specifies READ and WRITE privileges for each indexer. The privileges work as follows:

  • If a role has WRITE privilege for indexer1, that role can create, update, or delete an indexer named indexer1, using the hbase-indexer command.
  • READ privileges control what a user can see when running the hbase-indexer list-indexers command. If a role has READ privileges for indexer1, the command output lists indexer1 if it exists. If an indexer named indexer2 exists, but the role does not have READ privileges for it, that indexer is omitted from the response.

For example, consider the following privileges defined in a policy file:

[groups]
jdoe = admin
psherman = readonly

[roles]
admin = indexer=*
readonly = indexer=*->action=READ

This policy file grants the jdoe user full access to all indexers, and the psherman user read access to all indexers. User psherman can see all indexers, but cannot create new ones or modify existing ones.

Before CDH 5.14.0, Lily HBase Indexer supported only Sentry policy files. In CDH 5.14.0 and higher, it supports the Sentry service, and includes a command line utility (hbase-indexer-sentry) for configuring Sentry. The command syntax is as follows:

/opt/cloudera/parcels/CDH/bin/hbase-indexer-sentry
Missing required option: [-lp List privilege, -rpr Revoke privilege from role, -lr List role, -arg Add role to group, -drg Delete role from group, -gpr Grant privilege to role, -mgr Migrate ini file to Sentry service, -dr Drop role, -cr Create role]
usage: sentryShell
 -arg,--add_role_group          Add role to group
 -c,--checkcompat               Check compatibility with Sentry Service
 -conf,--sentry_conf <arg>      sentry-site file path
 -cr,--create_role              Create role
 -dr,--drop_role                Drop role
 -drg,--delete_role_group       Delete role from group
 -f,--policy_ini <arg>          Policy file path
 -g,--groupname <arg>           Group name
 -gpr,--grant_privilege_role    Grant privilege to role
 -h,--help                      Shell usage
 -i,--import                    Import policy file
 -lp,--list_privilege           List privilege
 -lr,--list_role                List role
 -mgr,--migrate                 Migrate ini file to Sentry service
 -p,--privilege <arg>           Privilege string
 -r,--rolename <arg>            Role name
 -rpr,--revoke_privilege_role   Revoke privilege from role
 -s,--service <arg>             Name of the service being managed
 -t,--type <arg>                [hive|solr|sqoop|.....]
 -v,--validate                  Validate policy file

Granting Privileges to a Role

The following is an example of how to add priviliges to the test role, which is part of the testGroup, for the lilytestindexer.
  1. Authenticate as Sentry admin.
  2. Create the test role:
    hbase-indexer-sentry -s "KS_INDEXER-1" -cr -r test

    If you have modified your service name from the default, replace KS_INDEXER-1 with your custom service name.

  3. Assign the role to the group testGroup:
    hbase-indexer-sentry -s "KS_INDEXER-1" -arg -r test -g testGroup
  4. Verify that the test role is part of the group testGroup:
    hbase-indexer-sentry -s "KS_INDEXER-1" -lr -g testGroup
  5. Grant priviliges to test role:
    hbase-indexer-sentry -s "KS_INDEXER-1" -gpr -r test -p "indexer=lilytestindexer->action=*"
  6. Revoke priviliges from test role:
    hbase-indexer-sentry -s "KS_INDEXER-1" -rpr -r test -p "indexer=lilytestindexer->action=*"

Migrating HBase Indexer Sentry Policy Files to the Sentry Service

If you are using CDH 5.14.0 or higher, and want to use the Sentry Service, you can migrate your policy files using the hbase-indexer-sentry utility:

  1. Make sure that you are running the Sentry Service in your cluster. If not, add the service, following the instructions in Adding a Service.
  2. Run the following command:
    /opt/cloudera/parcels/CDH/bin/hbase-indexer-sentry -s "KS_INDEXER-1" -mgr -i -v -f "hdfs://<namenode>:8020/path/to/sentry-provider.ini"

    If you have modified your service name from the default, replace KS_INDEXER-1 with your custom service name.

    This command validates and imports the specified policy file to the Sentry Service. For more information on the command usage and syntax, see Managing Sentry Permissions for the Lily HBase Indexer.

  3. Configure the Lily HBase Indexer service to use the Sentry service:
    1. Uncheck the box labeled Enable Sentry Authorization using Policy Files (Key-Value Store Indexer service > Configuration > Category > Policy File Based Sentry)
    2. Configure the Sentry Service (Key-Value Store Indexer service > Configuration > Category > Main > Sentry Service).
  4. Restart the Lily HBase Indexer service (Key-Value Store Indexer service > Actions > Restart).