3. Add HBase Repositories - Hortonworks Data Platform

3.1. Create a HBase Repository

Before installing the agent on the HBase Regional Servers, create an HBase Repository as follows:

Sign in to the HDP Security Administration Web UI.
Click Policy Manager.
The Manage Repository page displays.
Next to HBase, click the + (plus symbol).
The Create Repository page displays.

Complete the Repository Details with the following information:

Table 4.7. HBase Repository Details

Label	Value	Description
Repository Name	`$name`	Specify a unique name for the repository, you will need to specify the same repository name in the agent installation properties. For example, `clustername_hbase`.
Description	`$description-of-repo`	Enter a description up to 150 characters.
Active Status	`Enabled` or `Disabled`	Enable or disable policy enforcement for the repository.
Repository type	`HDFS`, `Hive`, or `HBase`	Select the type of repository, HBase.
User name	`$user`	Specify a user name on the remote system with permission to establish the connection, for example `hbase`.
Password	`$password`	Specify the password of the user account for connection.

Complete the HBase Configuration:

The settings must match the values specified in the core-site.xml and hbase-site.xml file as follows:

Table 4.8. HBase Configuration

Label	Value	File
fs.default.name	`$hdfs-url`	`core-site.xml` For example, `hdfs://sandbox.hortonworks.com:8020`
hadoop.security.authorization	`true`	`core-site.xml` If this field is false, then change to true in core-site before you continue.
hadoop.security.authentication	`simple` or `kerberos`	`core-site.xml`
hadoop.security.auth_to_local	`$usermapping`	`core-site.xml`For example: `RULE:[2:$1@$0]([rn]m@.)s/./yarn/ RULE:[2:$1@$0](jhs@.)s/./mapred/ RULE:[2:$1@$0]([nd]n@.)s/./hdfs/ RULE:[2:$1@$0](hm@.)s/./hbase/ RULE:[2:$1@$0](rs@.)s/./hbase/ DEFAULT`
dfs.datanode.kerberos.principal	`$dn-principal`	Specify the Kerberos DataNode principal name.
dfs.namenode.kerberos.principal	`$nn-principal`	Specify the Kerberos NameNode principal name.
dfs.secondary.namenode.kerberos.principal	`$secondary-nn-principal`	Specify the Kerberos Secondary NN principal name.
hbase.master.kerberos.principal	`$hbase-principal`	Specify the Kerberos principal for the HBase Master.
hbase.rpc.engine	org.apache.hadoop.hbase.ipc.SecureRpcEngine	`hbase-site.xml`
hbase.rpc.protection	`PRIVACY`	`hbase-site.xml`
hbase.security.authentication	`simple`	`hbase-site.xml`
hbase.zoopkeeper.property.clientPort	`2181`	`hbase-site.xml`
hbase.zookeeper.quorom		`hbase-site.xml`
zookeeper.znode.parent	`/hbase`	`hbase-site.xml`
Common Name For Certificate	`$cert-name`	Specify the name of the certificate.

	Note
	The blank fields are optional.

Click Test Connection.
If the server can connect to HBase, the connection successful message displays.
HDP Security Administration server connects to HBase and lists the tables. Hortonworks recommends creating the repository and installing the agent after HBase contains data. If HBase connection fails (and tables exist), go to the troubleshooting appendix.
After making a successful connection, click Save.

The repository is created with an open access Policy, that is auditing is enabled and all users are allowed to access the resources. Complete the installation of the agent and do a few simple access test before configuring policies to ensure that the solution is working properly.

3.2. Installation Set Up

Use same installation properties file to install the Security Agent for HBase. Install the agent on all of the following HBase hosts:

HBase Master host
All HBase Region Server hosts

Log on to the host as root.
Create a temporary directory, such as /tmp/xasecure:
```
mkdir /tmp/xasecure
```
Move the package into the temporary directory along with the MySQL Connector Jar.
Extract the contents:
```
tar xvf $xasecureinstallation.tar
```
Go to the directory where you extracted the installation files:
```
cd /tmp/xasecure/xasecure-$name-$build-version
```
Open the install.properties file for editing.

Change the following parameters for your environment:

Table 4.9. Hive Agent Install Parameters

Parameter	Value	Description
`POLICY_MGR_URL`	`$url`	Specify the full URL to access the Policy Manager Web UI. For example, `http://pm-host:6080`.
`MYSQL_CONNECTOR_JAR`	`$path-to-mysql-connector`	Absolute path on the local host to the JDBC driver for mysql including filename.^[a] For example, `/tmp/xasecure/`
`REPOSITORY_NAME`	`$Policy-Manager-Repo-Name`	Name of the HDFS Repository in the Policy Manager that this agent connects to after installation.
`XAAUDIT.DB.HOSTNAME`	`$XAsecure-db-host`	Specify the host name of the MySQL database.
`XAAUDIT.DB.DATABASE_NAME`	`$auditdb`	Specify the audit database name that matches the `audit_db_name` specified during installation.
`XAAUDIT.DB.USER_NAME`	`$auditdbuser`	Specify the audit database name that matches the `audit_db_user` specified during installation.
`XAAUDIT.DB.PASSWORD`	`$auditdbupw`	Specify the audit database name that matches the `audit_db_password` specified during installation.
^[a]Download the JAR from here.

Save the install.properties file.

	Note
	If your environment is configured to use SSL, modify the properties following the instructions in Set Up SSL for HBase Security Agents.

The following is an example of the HBase install.properties:

#
# Location of Policy Manager URL  
#
#
# Example:
# POLICY_MGR_URL=http://policymanager.xasecure.net:6080
#

POLICY_MGR_URL=http://policymgr:6080

#
# Location of mysql client library (please check the location of the jar file)
#
MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar

#
# This is the repository name created within policy manager
#
# Example:
# REPOSITORY_NAME=hbasedev
#

REPOSITORY_NAME=sandbox_2_hbase

#
# AUDIT DB Configuration
# 
#  This information should match with the one you specified during the PolicyManager Installation
# 
# Example:
# XAAUDIT.DB.HOSTNAME=localhost
# XAAUDIT.DB.DATABASE_NAME=xasecure
# XAAUDIT.DB.USER_NAME=xalogger
# XAAUDIT.DB.PASSWORD=
#
#

XAAUDIT.DB.HOSTNAME=xasecure
XAAUDIT.DB.DATABASE_NAME=xasecure
XAAUDIT.DB.USER_NAME=xasecure
XAAUDIT.DB.PASSWORD=hadoop


#
# SSL Client Certificate Information
#
# Example:
# SSL_KEYSTORE_FILE_PATH=/etc/xasecure/conf/xasecure-hadoop-client.jks
# SSL_KEYSTORE_PASSWORD=clientdb01
# SSL_TRUSTSTORE_FILE_PATH=/etc/xasecure/conf/xasecure-truststore.jks
# SSL_TRUSTSTORE_PASSWORD=changeit

#
# IF YOU DO NOT DEFINE SSL parameters, the installation script will automatically generate necessary key(s) and assign appropriate values 
# ONLY If you want to assign manually, please uncomment the following variables and assign appropriate values.

3.3. Run the Agent Installation Script

After configuring the install.properties file, install the agent as root:

Log on to the Linux system as root and go to the directory where you extracted the installation files:
```
cd /tmp/xasecure/xasecure-$name-$build-version
```
Run the agent installation script:
```
# ./install.sh
```

3.4. Restart the HBase Service (Manual HDP Installation)

Changes to the properties require a restart of the HBase services.

To restart HBase:

Execute this command on the HBase Master host machine:

su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf stop master; sleep 25"

Execute this command on all RegionServers:

su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf stop regionserver"

Execute this command on the HBase Master host machine:

su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf start master; sleep 25"

Execute this command on all RegionServers:

su -l hbase -c "/usr/lib/hbase/bin/hbase-daemon.sh --config /etc/hbase/conf start regionserver"

3.5. Configure HBase Properties (Ambari Deployment)

HDP Security Administration requires that the following properties are set in the hbase-site.xml. Configure these properties and restart Hbase before creating a repository in the Policy Manager.

Table 4.10. Custom hbase-site.xml Parameters

Key	Value
hbase.security.authorization	true
hbase.coprocessor.master.classes	com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
hbase.coprocessor.region.classes	org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
hbase.rpc.engine	org.apache.hadoop.hbase.ipc.SecureRpcEngine
hbase.rpc.protection	PRIVACY

3.5.1. Update and Add Properties with Ambari

Use these instructions to update the Hbase properties in the Ambari UI.

Log into the Ambari Web UI, and click HBase > Config.

	Note
	To find a parameter, type the parameter name in the Filter field and press enter; if the parameter exists, it is returned under list. Click the arrow key to expand the lists and see the parameter settings.

Update the following properties from the Ambari Default Value to the HDP Security required values:

Table 4.11. HBase Parameter Values
HBase Property Ambari Default Value HDP Security Required Value
hbase.security.authorization false true

HBase Property	Ambari Default Value	HDP Security Required Value
`hbase.security.authorization`	`false`	`true`

Expand Custom hbase-site.xml, and add the following properties:

Table 4.12. Custom hbase-site.xml Properties

Key	Value
hbase.coprocessor.master.classes	com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
hbase.coprocessor.region.classes	org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
hbase.rpc.protection	PRIVACY

	Note
	For each property, click Add Property, enter Key and Value shown in the table above, then click Add.

After all the properties have been updated or added, click Save.
The Custom hbase-site.xml properties display.

When properties change, the affected services must be restarted. A Restart option appears.
Click Restart > Restart all.

3.6. Verify that Agent is Connected

Connected Agents display in the HDP Security Administration Web UI.

	Note
	Agents may not appear in the list until after the first event occurs in the repository.

To verify that the agent is connected to the server:

Log in to the interface using the admin account.
Click Audit > Agent.

3.7. Test HBase Access and Auditing

After the repository is set up and you have verified that the agent is connected to the server, perform a few basic HBase test as outlined below:

Open a browser and go to http://hue-host:8888.
Click on the Hue Shell icon in the navigation pane.
Click HBase Shell.
The prompt displays.
```
hbase(main):001:0>
```

At the prompt type list.

hbase(main):001:0> list
list
TABLE 
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
ambarismoketest 
test 
2 row(s) in 4.9490 seconds

=> ["ambarismoketest", "test"]

The XASecure HBase agent reports the activity to the server.

Note

If the HBase command fails with the following Zookeeper error, restart HBase with the root user account from the command line and retest.

ERROR: Can't get master address from ZooKeeper; znode data == null

Sign in to the Web UI and click Audit.
The Big Data page displays a list of events for the configured Repositories.
Click Search > Repository Type > HBase.
The list filters as you make selections.

	Note
	When adding an HBase Repository you must install the Security Agent for HBase on the HBase Master and each of the HBase Region Servers in your cluster and ensure that the configuration settings are the same on each Region Server.