Configure Kerberos Authentication for the HBase Thrift 1 Gateway
About this task
Procedure
-
Add the following to the hbase-site.xml file for every Thrift gateway:
<property> <name>hbase.thrift.keytab.file</name> <value>/etc/hbase/conf/hbase.keytab</value> </property> <property> <name>hbase.thrift.kerberos.principal</name> <value>$USER/_HOST@HADOOP.LOCALDOMAIN</value> <!-- TODO: This may need to be HTTP/_HOST@<REALM> and _HOST may not work. You may have to put the concrete full hostname. --> </property> <!-- Add these if you need to configure a different DNS interface from the default --> <property> <name>hbase.thrift.dns.interface</name> <value>default</value> </property> <property> <name>hbase.thrift.dns.nameserver</name> <value>default</value> </property>
Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively.
-
In order to use the Thrift API principal to interact with HBase, it is also necessary to add the
hbase.thrift.kerberos.principal to the acl table. For example, to give the Thrift API principal,
thrift_server, administrative access, a command such as this one will suffice:
grant 'thrift_server', 'RWCA'
Results
The Thrift gateway will authenticate with HBase using the supplied credential. No authentication will be performed by the Thrift gateway itself. All client access via the Thrift gateway will use the Thrift gateway’s credential and have its privilege.