Cloudera Docs

Disabling Kerberos authentication for HBase clients

Client applications that run on legacy products and do not have Kerberos enabled, fail to connect to COD instances that have Kerberos enabled. You can disable Kerberos authentication in your COD instances so that HBase or Phoenix clients can connect seamlessly.

You can also disable the Kerberos authentication using COD CLI while creating an operational database.

You can use the --disable-kerberos option while running the create-database command to disable the Kerberos authentication.

cdp opdb create-database --environment-name ENVIRONMENT_NAME --database-name DATABASE_NAME --disable-kerberos

For example,
cdp opdb create-database --environment-name cdp_7215 --database-name cod1 --disable-kerberos
  1. In Cloudera Manager, go to the HBase service.
  2. In the Configuration tab, set hbase.security.authentication=simple under HBase Secure Authentication and hbase.thrift.security.qop=none under HBase Thrift Authentication.
    Figure 1. HBase security authentication


    Figure 2. HBase thrift authentication


  3. In the Ranger web UI, add the phoenix user. This resolves the impersonation issue.
    1. On the Data lake page, select the Ranger service.
    2. On the Ranger Service Manager web UI, find and select the HBase policy for your COD instance.
      Figure 3. Ranger service manager


    3. Click on the edit button in the Action column to edit the all - table, column-family, column policy.
      Figure 4. Ranger service manager policy


    4. In the Ranger service manager edit policy page, add the phoenix user and save the modified policy.
      Figure 5. Add phoenix user


Kerberos authentication is disabled in your COD instance and legacy HBase or Phoenix clients without having Kerberos enabled, can connect to your COD instance.