Configure MapR-SASL Security (Authentication and Encryption) for HBase

This section describes the manual method for configuring security in HBase.

Starting with EEP 6.3.0, HBase services are secured by default with MapR-SASL. After installing HBase, you configure it by running the $MAPR_HOME/server/configure.sh script with the -R option. There are two methods to configure HBase to be secure by default:
  • Automatic Method
  • Manual Method

Automatic Method

If you installed HBase by using the MapR Installer, the MapR Installer configures HBase daemons during installation. Additional configuration is not required.

Manual Method

After a new manual installation, to generate a valid default ecosystem configuration, run:
$MAPR_HOME/server/configure.sh -R 
Four HBase services require configuration:
  • HBase Master
  • HBase RegionServer
  • HBase Thrift
  • HBase REST

Each service can be configured for authentication and encryption, as shown later on this page:

HBase Master and RegionServer

The Master and RegionServer services require the same configuration for security.

Authentication

To enable MapR-SASL authentication, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.security.authentication</name>
  <value>maprsasl</value>
</property>

Encryption

To enable MapR-SASL encryption, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.rpc.protection</name>
  <value>privacy</value>
</property>
Possible values for the hbase.rpc.protection property are:
  • authentication (auth)
  • integrity (auth-int)
  • privacy (auth-conf)

The best practice is to spell out the values (authentication/integrity/privacy). The abbreviated values (in parentheses) can work, but using them is not recommended. Encryption is enabled only for the highest level of security (privacy).

HBase Thrift

It is possible to configure the HBase Thrift service to work over sockets or over the HTTP protocol. For authentication purposes, configuration is the same for both cases. For encryption, configuration is different for each case. Note that starting with the EEP6.3.0 property, hbase.thrift.security.authentication is no longer used to configure HBase Thrift for authentication.

Authentication

HBase Thrift relies on the same property used for Master and RegionServer. To enable authentication, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.security.authentication</name>
  <value>maprsasl</value>
</property>

Encryption for Thrift over Sockets

To enable encryption with MapR-SASL for Thrift over sockets, make sure that the hbase.regionserver.thrift.http property is set to false and the following property is present in the hbase-site.xml file:
<property>
  <name>hbase.thrift.security.qop</name>
  <value>auth-conf</value>
</property>
Possible values for hbase.thrift.security.qop are:
  • auth
  • auth-int
  • auth-conf

Encryption is enabled only for the highest level of security (auth-conf).

Encryption for Thrift over HTTP

To enable Thrift to work over the HTTP protocol, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.regionserver.thrift.http</name>
  <value>true</value>
</property>
To enable Thrift over HTTP encryption through SSL, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.thrift.ssl.enabled</name>
  <value>true</value>
</property>

HBase REST

Authentication

To enable HBase REST authentication, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.rest.authentication.type</name>
  <value>org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler</value>
</property>

With the MultiMechsAuthenticationHandler, MapR-SASL, Kerberos, and PAM authentication headers are supported. A custom AuthenticationHandler could be implemented and specified with the full class name in this property.

Encryption

To enable HBase REST SSL encryption, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.rest.ssl.enabled</name>
  <value>true</value>
</property>

HBase Services Web UIs

Web UIs are available for each HBase service. The Web UIs run simultaneously with the service and within the same process. Security for these UIs must be configured too.

Authentication

To enable HBase Web UI authentication, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.security.authentication</name>
  <value>maprsasl</value>
</property>

Authentication is implemented through the MultiMechsAuthenticationHandler and therefore supports MapR-SASL, Kerberos, and PAM authentication headers.

Encryption

To enable HBase Web UI SSL encryption, include the following property in the hbase-site.xml file:
<property>
  <name>hbase.ssl.enabled</name>
  <value>true</value>
</property>