2.3.5.4. Configure Secure Client Side Access to HBase

HBase configured for secure client access is expected to run on a secure HDFS cluster. HBase clients must be able to authenticate with HDFS services. Use the following instructions to set that capability up.

  1. Provide a Kerberos principal for HBase client users. Review the process for creating Kerberos principals here.

    • For normal HBase clients, best practice is to set up the principal with a password

      The client principal's maxrenewlife should be set high enough to allow the HBase client process to complete. Client principals are not renewed automatically.

      For example, if a user runs a long-running HBase client process that takes at most three days, you might create this user's principal using kadmin.local with the following command:

      addprinc -maxrenewlife 3days <new_principal_name>
    • For long-running HBase clients, set up a keytab file for the principal and copy the file to the directory where the client daemon executes. Make sure that this file is readable only to the user account under which the daemon runs.

  2. On every HBase client host, add the following two properties to the /etc/hbase/conf/hbase-site.xml file:

    <property>
       <name>hbase.security.authentication</name>
        <value>kerberos</value>
    </property>
    [Note] Note

    The client environment must be logged into Kerberos via the kinit command (using a password or a keytab) before communication with the HBase cluster is possible. Note that the client cannot communicate with the cluster if the hbase.security.authentication property in the client- and server-side site files fails to match.

    <property>   
            <name>hbase.rpc.engine</name>    
            <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>    
    </property>   


loading table of contents...