HBase configured for secure client access is expected to be running on top of a secure HDFS cluster. HBase must be able to authenticate to HDFS services.
Provide a Kerberos principal to the HBase client user using the instructions provided here.
Option I: Provide Kerberos principal to normal HBase clients.
For normal HBase clients, Hortonworks recommends setting up a password to the principal.
Option II: Provide Kerberos principal to long running HBase clients.
Set-up a keytab file for the principal and copy the resulting keytab files to where the client daemon will execute.
Ensure that you make this file readable only to the user account under which the daemon will run.
Set
maxrenewlife.The client principal's
maxrenewlifeshould be set high enough so that it allows enough time for the HBase client process to complete. Client principals are not renewed automatically.For example, if a user runs a long-running HBase client process that takes at most three days, we might create this user's principal within kadmin with the following command:
addprinc -maxrenewlife 3days
Long running daemons with indefinite lifetimes that require client access to HBase can instead be configured to log in from a keytab. For each host running such daemons, create a keytab with
kadminorkadmin.local.
On every HBase client, add the following properties to the
hbase-site.xmlfile:<property> <name>hbase.security.authentication</name> <value>kerberos</value> </property>![[Note]](../common/images/admon/note.png)
Note The client environment must be logged in to Kerberos from KDC or keytab via the
kinitcommand before communication with the HBase cluster is possible. Note that the client will not be able to communicate with the cluster if thehbase.security.authenticationproperty in the client- and server-side site files fails to match.<property> <name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> </property>
