Configure Kerberos for HBase Thrift Gateway

About this task

Procedure

  1. Add the following to the hbase-site.xml file for every Thrift gateway:
    <property>
        <name>hbase.thrift.keytab.file</name>
        <value>$KEYTAB</value>
    </property>
    <property>
        <name>hbase.thrift.kerberos.principal</name>
        <value>$USER/_HOST@HADOOP.LOCALDOMAIN</value>
        <!-- This may need to be HTTP/_HOST@<REALM> and _HOST may not work. You may have to put the concrete full hostname. -->
    </property>
    <property>
       <name>hbase.thrift.security.qop</name>
       <value>auth-conf</value>
    </property>
    <!-- Add these if you need to configure a different DNS interface from the default -->
    <property>
        <name>hbase.thrift.dns.interface</name>
        <value>default</value>
    </property>
    <property>
        <name>hbase.thrift.dns.nameserver</name>
        <value>default</value>
    </property>

    Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively.

  2. If you are running HBase Thrift in HTTP mode, you must add additional properties to the hbase-site.xml to enable HTTP connections through Kerberos. This is required if you enabled the following property in the hbase-site.xml:
    <property>
      <name>hbase.regionserver.thrift.http</name>
      <value>true</value>
    </property>
    Add the following properties to enable HTTP connections through Kerberos:
    <property>
        <name>hbase.thrift.spnego.principal</name>
        <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
    </property>
    <property>
        <name>hbase.thrift.spnego.keytab.file</name>
        <value>$KEYTAB</value>
    </property>
  3. To use HPE Ezmeral Data Fabric Database tables without the full path, add the following property to the core-site.xml file:
    <property>
        <name>hbase.table.namespace.mappings</name>
        <value>*:/</value>
    </property>

    Add this property ONLY if you are working with HPE Ezmeral Data Fabric Database tables. Working with HBase tables is not possible when this property is present. For more information, see Considerations for Upgrading to HBase 1.1.13. For more information about mapping tables, see Mapping to HBase Table Namespaces.

Results

The Thrift gateway authenticates with HBase using the supplied credential. No authentication is performed by the Thrift gateway itself. All client access via the Thrift gateway uses the Thrift gateway’s credential and has its privilege.