Secure replication configuration is the same whether your clusters are all in the
same realm or not, with the exception of the last step.
The last step involves setting up custom secure replication configurations per peer.
This can be convenient when you need to replicate to a cluster that uses different
cross-realm authentication rules than the source cluster. For example, a cluster in
Realm A may be allowed to replicate to Realm B and Realm C, but Realm B may not be
allowed to replicate to Realm C. If you do not need this feature, skip the last
step.
To use this feature, service-level principals and keytabs (specific to HBase) must be
specified when you create the cluster peers using HBase Shell.
Set up Kerberos on your cluster.
If necessary, configure Kerberos cross-realm authentication:
At the comman line, use the list_principals command to
list the kdc, admin_server, and
default_domain for each realm.
Add this information to each cluster using Cloudera Manager:
In Cloudera Manager, select the HDFS
service.
Click the Configuration tab.
Find the Truster Kerberos Realms
property.
Add the target and source.
Restart HDFS.
Configure ZooKeeper.
Configure the following HDFS parameters on both cluster:
<!-- In hdfs-site.xml or advanced configuration snippet -->
<property>
<name>dfs.encrypt.data.transfer</name>
<value>true</value>
</property>
<property>
<name>dfs.data.transfer.protection</name>
<value>privacy</value>
</property>
<!-- In core-site.xml or advanced configuration snippet -->
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.rpc.protection</name>
<value>privacy</value>
</property>
<property>
<name>hadoop.security.crypto.cipher.suite</name>
<value>AES/CTR/NoPadding</value>
</property>
<property>
<name>hadoop.ssl.enabled</name>
<value>true</value>
</property>
If you use Cloudera Manager to manage your cluster, do not set these
properties directly in configuration files, because Cloudera Manager will
overwrite or ignore these settings. You must set these properties in
Cloudera Manager.
For brevity, the Cloudera Manager setting names are not listed here, but you
can search by property name. For instance, in the HDFS service configuration
screen, search for dfs.encrypt.data.transfer. The Enable Data
Transfer Encryption setting is shown. Selecting the box is
equivalent to setting the value to true.
Configure the following HBase parameters on both clusters, using Cloudera
Manager or in hbase-site.xml if you do not use Cloudera
Managert.