You must establish a mechanism for HBase servers and clients to securely identify themselves with HDFS, ZooKeeper, and each other. This ensures that hosts are who they claim to be.
To enable HBase to work with Kerberos security, you must enable Kerberos Authentication for Cloudera Runtime and use Kerberos authentication for ZooKeeper. This means that HBase Master, RegionServer, and client hosts must each have a Kerberos principal for authenticating to the ZooKeeper ensemble.
Before you start configuring Kerberos authentication for HBase ensure that:
- Kerberos is enabled for the cluster.
- Kerberos principals for Cloudera Manager Server, HBase and ZooKeeper hosts exist and are available for use.
Cloudera Manager automatically configures authentication between HBase to ZooKeeper and sets up the HBase Thrift gateway to support impersonation (
doAs). However, you must manually configure the HBase REST service for Kerberos, as it uses Simple authentication by default, instead of Kerberos. Although an HBase Thrift server can connect to a secured Hadoop cluster, access is not secured from clients to the HBase Thrift server. To encrypt communication between clients and the HBase Thrift Server you must configure TLS/SSL for HBase Thrift Server.