HBase supports MapR-SASL and Kerberos security, and can run securely independently of
the security status of your
HPE Ezmeral Data Fabric cluster.
Procedure
To configure HBase to use Kerberos, perform the following
steps:
-
Install the
mapr-hbase-master
and
mapr-hbase-regionserver
packages on the cluster.
-
On all HBase nodes, perform the following steps:
-
Install the
krb5
packages and configure the Kerberos
client as per the configuration for your environment.
-
Set up the HBase Kerberos principal
mapr/<fqdn>@<realm>
. Each
node requires a unique keytab file and Kerberos identity.
-
Create an
hbase.keytab
file with the HBase Kerberos
principal with the same process used to generate the CLDB keytab.
-
Copy the
hbase.keytab
file to the
/opt/mapr/conf
directory.
-
Use the
chown
command to change the keytab file's
ownership to mapr:mapr
.
-
Use the
chmod
command to set the file's permissions to
600
.
-
Update the
hbase-site.xml
file by adding the following
section:
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>mapr/_HOST@<KERBEROS_REALM></value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>mapr/_HOST@<KERBEROS_REALM></value>
</property>
-
On a
HPE Ezmeral Data Fabric cluster
with security features enabled, replace the
${SIMPLE_LOGIN_OPTS}
value of the
MAPR_HBASE_SERVER_OPTS
property with
${KERBEROS_LOGIN_OPTS}
and the value of the
MAPR_HBASE_CLIENT_OPTS
property with
${HYBRID_LOGIN_OPTS}
. Also remove the
-Dzookeeper.sasl.client=false
option from the
definition of MAPR_HBASE_CLIENT_OPTS
.
These properties are located in the
/opt/mapr/conf/env.sh
file.
-
On a
HPE Ezmeral Data Fabric cluster
with security features disabled, replace the
${SIMPLE_LOGIN_OPTS}
value of the
MAPR_HBASE_SERVER_OPTS
and
MAPR_HBASE_CLIENT_OPTS
properties in the
/opt/mapr/conf/env.sh
file with
${KERBEROS_LOGIN_OPTS}
.
-
On all HBase regionserver nodes, update the
hbase-site.xml
file by adding the following section:
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/opt/mapr/conf/hbase.keytab</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value> org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
-
On the HBase master node, update the
hbase-site.xml
file by
adding the following section:
<property>
<name>hbase.master.keytab.file</name>
<value>/opt/mapr/conf/hbase.keytab</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
-
Restart the HBase master and regionserver nodes.