Enable Impersonation in the HBase Thrift 1 Gateway
About this task
To configure the Thrift gateway to authenticate to HBase on the client’s behalf, and to access HBase using a proxy user:
Procedure
-
In the
hbase-site.xmlfile for each cluster node running a Thrift gateway, set the propertyhbase.thrift.security.qopto one of the following three values:auth-conf- authentication, integrity, and confidentiality checkingauth-int- authentication and integrity checkingauth- authentication checking only
-
Restart
the Thrift gateway processes for the changes to take effect. If a
node is running Thrift, the output of the
jpscommand will list aThriftServerprocess.- To stop Thrift on a node, run the command
bin/hbase-daemon.sh stop thrift. - To start Thrift on a node, run the command
bin/hbase-daemon.sh start thrift.
- To stop Thrift on a node, run the command
-
To allow proxy users, add the following to the
hbase-site.xmlfile for every HBase node:<property> <name>hadoop.security.authorization</name> <value>true</value> </property> <property> <name>hadoop.proxyuser.$USER.groups</name> <value>$GROUPS</value> </property> <property> <name>hadoop.proxyuser.$USER.hosts</name> <value>$GROUPS</value> </property> -
To enable the
doAsfeature, add the following to the hbase-site.xml file for every Thrift gateway:<property> <name>hbase.regionserver.thrift.http</name> <value>true</value> </property> <property> <name>hbase.thrift.support.proxyuser</name> <value>true/value> </property>