Enable Impersonation for HBase Thrift Gateway

About this task

To configure the Thrift gateway to authenticate to HBase on the client’s behalf, and to access HBase using a proxy user:

Procedure

  1. To allow proxy users, add the following to the hbase-site.xml file for every HBase node:
    <property>
        <name>hadoop.proxyuser.$USER.groups</name>
        <value>$GROUPS</value>
    </property>
    <property>
        <name>hadoop.proxyuser.$USER.hosts</name>
        <value>$GROUPS</value>
    </property>
  2. To enable the doAs feature, add the following to the hbase-site.xml file for every Thrift gateway:
    <property>
        <name>hbase.regionserver.thrift.http</name>
        <value>true</value>
    </property>
    <property>
        <name>hbase.thrift.support.proxyuser</name>
        <value>true/value>
    </property>
  3. Restart the Thrift gateway processes for the changes to take effect. If a node is running Thrift, the output of the jps command will list a ThriftServer process.
    • To restart Thrift on a node, use the following maprcli command:
      maprcli node services -name hbasethrift -action restart -nodes <node_hostname>