Configure Kerberos for HBase Thrift Gateway
About this task
Procedure
-
Add the following to the
hbase-site.xml
file for every Thrift gateway:<property> <name>hbase.thrift.keytab.file</name> <value>$KEYTAB</value> </property> <property> <name>hbase.thrift.kerberos.principal</name> <value>$USER/_HOST@HADOOP.LOCALDOMAIN</value> <!-- This may need to be HTTP/_HOST@<REALM> and _HOST may not work. You may have to put the concrete full hostname. --> </property> <property> <name>hbase.thrift.security.qop</name> <value>auth-conf</value> </property> <!-- Add these if you need to configure a different DNS interface from the default --> <property> <name>hbase.thrift.dns.interface</name> <value>default</value> </property> <property> <name>hbase.thrift.dns.nameserver</name> <value>default</value> </property>
Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively.
-
If you are running HBase Thrift in HTTP mode, you must add additional
properties to the
hbase-site.xml
to enable HTTP connections through Kerberos. This is required if you enabled the following property in thehbase-site.xml
:<property> <name>hbase.regionserver.thrift.http</name> <value>true</value> </property>
Add the following properties to enable HTTP connections through Kerberos:<property> <name>hbase.thrift.spnego.principal</name> <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value> </property> <property> <name>hbase.thrift.spnego.keytab.file</name> <value>$KEYTAB</value> </property>
-
To use HPE Ezmeral Data Fabric Database tables without the full path, add
the following property to the
core-site.xml
file:<property> <name>hbase.table.namespace.mappings</name> <value>*:/</value> </property>
Add this property ONLY if you are working with HPE Ezmeral Data Fabric Database tables. Working with HBase tables is not possible when this property is present. For more information, see Considerations for Upgrading to HBase 1.1.13. For more information about mapping tables, see Mapping to HBase Table Namespaces.
Results
The Thrift gateway authenticates with HBase using the supplied credential. No authentication is performed by the Thrift gateway itself. All client access via the Thrift gateway uses the Thrift gateway’s credential and has its privilege.