HBase supports Kerberos security only, and can run securely independently of the
security status of your MapR cluster.
Procedure
To configure HBase to use Kerberos, perform the following
steps:
-
Install the
mapr-hbase-master
and
mapr-hbase-regionserver
packages on the cluster.
-
On all HBase nodes, perform the following steps:
-
Install the
krb5
packages and configure the Kerberos
client as per the configuration for your environment.
-
Set up the HBase Kerberos principal
mapr/<fqdn>@<realm>
. Each
node requires a unique keytab file and Kerberos identity.
-
Create an
hbase.keytab
file with the HBase Kerberos
principal with the same process used to generate the CLDB keytab.
-
Copy the
hbase.keytab
file to the
/opt/mapr/conf
directory.
-
Use the
chown
command to change the keytab file's
ownership to mapr:mapr
.
-
Use the
chmod
command to set the file's permissions to
600
.
-
Update the
hbase-site.xml
file by adding the following
section:
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>mapr/_HOST@<KERBEROS_REALM></value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>mapr/_HOST@<KERBEROS_REALM></value>
</property>
-
On a MapR cluster with security features enabled, replace the
${SIMPLE_LOGIN_OPTS}
value of the
MAPR_HBASE_SERVER_OPTS
property with
${KERBEROS_LOGIN_OPTS}
and the value of the
MAPR_HBASE_CLIENT_OPTS
property with
${HYBRID_LOGIN_OPTS}
. Also remove the
-Dzookeeper.sasl.client=false
option from the
definition of MAPR_HBASE_CLIENT_OPTS
.
These properties are located in the
/opt/mapr/conf/env.sh
file.
-
On a MapR cluster with security features disabled, replace the
${SIMPLE_LOGIN_OPTS}
value of the
MAPR_HBASE_SERVER_OPTS
and
MAPR_HBASE_CLIENT_OPTS
properties in the
/opt/mapr/conf/env.sh
file with
${KERBEROS_LOGIN_OPTS}
.
-
On all HBase regionserver nodes, update the
hbase-site.xml
file by adding the following section:
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/opt/mapr/conf/hbase.keytab</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value> org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
-
On the HBase master node, update the
hbase-site.xml
file by
adding the following section:
<property>
<name>hbase.master.keytab.file</name>
<value>/opt/mapr/conf/hbase.keytab</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
-
Restart the HBase master and regionserver nodes.