Create a Kerberos Principal and a keytab File for HBase

About this task

Skip this task if you are not using HBase.

On all HBase nodes, perform the following steps:

Procedure

  1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
  2. Set up the HBase Kerberos principal mapr/<fqdn>@<realm>. Each node requires a unique keytab file and Kerberos identity.
  3. Create an hbase.keytab file with the HBase Kerberos principal by using the Configuring Kerberos User Authentication used to generate the CLDB keytab.
  4. Copy the hbase.keytab file to the /opt/mapr/conf directory.
  5. Use the chown command to change the keytab file's ownership to mapr:mapr.
  6. Use the chmod command to set the file's permissions to 600.
  7. Update the hbase-site.xml file by adding the following section: 
    <property>    
  <name>hbase.security.authentication</name>    
  <value>kerberos</value>  
  </property>  
<property>   
  <name>hbase.security.authorization</name>    
  <value>true</value>  
  </property> 
<property>    
  <name>hbase.rpc.engine</name>    
  <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>  
  </property>  
<property>    
  <name>hbase.regionserver.kerberos.principal</name>    
  <value>mapr/_HOST@<KERBEROS_REALM></value>  
  </property>  
<property>    
  <name>hbase.master.kerberos.principal</name>   
  <value>mapr/_HOST@<KERBEROS_REALM></value>  
  </property>
  8. Replace the ${SIMPLE_LOGIN_OPTS} value of the MAPR_HBASE_SERVER_OPTS property with ${KERBEROS_LOGIN_OPTS} and the value of the MAPR_HBASE_CLIENT_OPTS property with ${HYBRID_LOGIN_OPTS}. Also remove the default -Dzookeeper.sasl.client=false option from the definition of MAPR_HBASE_CLIENT_OPTS.

    These properties are located in the /opt/mapr/conf/env.sh file.