Configuring secure HBase replication
You must configure cross realm support for Kerberos, ZooKeeper, and Hadoop to configure secure HBase replication.
There must be at least one common encryption mode between the two realms.
Create krbtgt principals for the two realms.
For example, if you have two realms called
COMPANY.TEST, you need to add the following principelas:
Add the two principals at both realms.
kadmin: addprinc -e "<enc_type_list>" krbtgt/EXAMPLE.COM@COMPANY.TEST kadmin: addprinc -e "<enc_type_list>" krbtgt/COMPANY.TEST@EXAMPLE.COM
Add rules creating short names in ZooKeeper:
Add a system level property in
java.env, defined in the conf directory.The following example rule illustrates how to add support for the realm called
EXAMPLE.COMand have two members in the principal (such as
This example adds support for the EXAMPLE.COM realm in a different realm. So, in the case of replication, you must add a rule for the primary cluster realm in the replica cluster realm. DEFAULT is for defining the default rule
Add rules for creating short names in the Hadoop processes:
hadoop.security.auth_to_localproperty in the core-site.xml file in the replica cluster.For example to add support for the
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](.*@\QEXAMPLE.COM\E$)s/@\QEXAMPLE.COM\E$// DEFAULT </value> </property>