Configure HBase to use Kerberos

HBase supports MapR-SASL and Kerberos security, and can run securely independently of the security status of your HPE Ezmeral Data Fabric cluster.

Procedure

To configure HBase to use Kerberos, perform the following steps:
  1. Install the mapr-hbase-master and mapr-hbase-regionserver packages on the cluster.
  2. On all HBase nodes, perform the following steps:
    1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
    2. Set up the HBase Kerberos principal mapr/<fqdn>@<realm>. Each node requires a unique keytab file and Kerberos identity.
    3. Create an hbase.keytab file with the HBase Kerberos principal with the same process used to generate the CLDB keytab.
    4. Copy the hbase.keytab file to the /opt/mapr/conf directory.
    5. Use the chown command to change the keytab file's ownership to mapr:mapr.
    6. Use the chmod command to set the file's permissions to 600.
    7. Update the hbase-site.xml file by adding the following section:
      <property>
         <name>hbase.security.authentication</name>
         <value>kerberos</value>
       </property>
       <property>
        <name>hbase.security.authorization</name>
         <value>true</value>
       </property>
       <property>
         <name>hbase.regionserver.kerberos.principal</name>
         <value>mapr/_HOST@<KERBEROS_REALM></value>
       </property>
       <property>
         <name>hbase.master.kerberos.principal</name>
        <value>mapr/_HOST@<KERBEROS_REALM></value>
       </property>
    8. On a HPE Ezmeral Data Fabric cluster with security features enabled, replace the ${SIMPLE_LOGIN_OPTS} value of the MAPR_HBASE_SERVER_OPTS property with ${KERBEROS_LOGIN_OPTS} and the value of the MAPR_HBASE_CLIENT_OPTS property with ${HYBRID_LOGIN_OPTS}. Also remove the -Dzookeeper.sasl.client=false option from the definition of MAPR_HBASE_CLIENT_OPTS.

      These properties are located in the /opt/mapr/conf/env.sh file.

    9. On a HPE Ezmeral Data Fabric cluster with security features disabled, replace the ${SIMPLE_LOGIN_OPTS} value of the MAPR_HBASE_SERVER_OPTS and MAPR_HBASE_CLIENT_OPTS properties in the /opt/mapr/conf/env.sh file with ${KERBEROS_LOGIN_OPTS}.
  3. On all HBase regionserver nodes, update the hbase-site.xml file by adding the following section:
    <property>
       <name>hbase.regionserver.keytab.file</name>
       <value>/opt/mapr/conf/hbase.keytab</value>
     </property>
     <property>
       <name>hbase.coprocessor.region.classes</name>
       <value> org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
     </property>
  4. On the HBase master node, update the hbase-site.xml file by adding the following section:
    <property>
      <name>hbase.master.keytab.file</name>
      <value>/opt/mapr/conf/hbase.keytab</value>
    </property>
    <property>
      <name>hbase.coprocessor.master.classes</name>
      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    </property>
  5. Restart the HBase master and regionserver nodes.