Create a Kerberos Principal and a keytab File for HBase
About this task
Skip this task if you are not using HBase.
On all HBase nodes, perform the following steps:
Procedure
-
Install the
krb5
packages and configure the Kerberos client as per the configuration for your environment. -
Set up the HBase Kerberos principal
mapr/<fqdn>@<realm>
. Each node requires a unique keytab file and Kerberos identity. -
Create an
hbase.keytab
file with the HBase Kerberos principal by using the Configuring Kerberos User Authentication used to generate the CLDB keytab. -
Copy the
hbase.keytab
file to the/opt/mapr/conf
directory. -
Use the
chown
command to change the keytab file's ownership tomapr:mapr
. -
Use the
chmod
command to set the file's permissions to600
. -
Update the
hbase-site.xml
file by adding the following section:<property> <name>hbase.security.authentication</name> <value>kerberos</value> </property> <property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> </property> <property> <name>hbase.regionserver.kerberos.principal</name> <value>mapr/_HOST@<KERBEROS_REALM></value> </property> <property> <name>hbase.master.kerberos.principal</name> <value>mapr/_HOST@<KERBEROS_REALM></value> </property>
-
Replace the
${SIMPLE_LOGIN_OPTS}
value of theMAPR_HBASE_SERVER_OPTS
property with${KERBEROS_LOGIN_OPTS}
and the value of theMAPR_HBASE_CLIENT_OPTS
property with${HYBRID_LOGIN_OPTS}
. Also remove the default-Dzookeeper.sasl.client=false
option from the definition ofMAPR_HBASE_CLIENT_OPTS
.These properties are located in the
/opt/mapr/conf/env.sh
file.