Apache Storm Component Guide
Also available as:
PDF
loading table of contents...

Configuring Storm-HBase for a Secure Cluster

To use the storm-hbase connector in topologies that run on secure clusters:

  1. Provide your own Kerberos keytab and principal name to the connectors. The Config object that you pass into the topology must contain the storm keytab file and principal name.

  2. Specify an HBaseBolt configKey, using the method HBaseBolt.withConfigKey("somekey"). The value map of this key should have the following two properties:

    storm.keytab.file: "<path-to-keytab-file>"

    storm.kerberos.principal: "<principal>@<host>"

    For example:

    Config config = new Config();
    config.put(HBaseSecurityUtil.STORM_KEYTAB_FILE_KEY, "$keytab");
    config.put(HBaseSecurityUtil.STORM_USER_NAME_KEY, "$principal");
    
    StormSubmitter.submitTopology("$topologyName", config, builder.createTopology());

    On worker hosts the bolt/trident-state code will use the keytab file and principal to authenticate with the NameNode. Make sure that all workers have the keytab file, stored in the same location.

    [Note]Note

    For more information about the HBaseBolt class, refer to the Apache Storm HBaseBolt API documentation.

  3. Distribute the keytab file that the Bolt is using in the Config object, to all supervisor nodes. This is the keytab that is being used to authenticate to HBase, typically the Storm service keytab, storm. The user ID that the Storm worker is running under should have access to it.

    On an Ambari-managed cluster this is /etc/security/keytabs/storm.service.keytab (the "path-to-keytab"), where the worker runs under storm.

  4. If you set supervisor.run.worker.as.user to true (see Running Workers as Users in Configuring Storm for Kerberos over Ambari), make sure that the user that the workers are running under (typically the storm keytab) has read access on those keytabs. This is a manual step; an admin needs to go to each supervisor node and run chmod to give file system permissions to the users on these keytab files.

    [Note]Note

    You do not need to create separate keytabs or principals; the general guideline is to create a principal and keytab for each group of users that requires the same access to these resources, and use that single keytab.

    All of these connectors accept topology configurations. You can specify the keytab location on the host and the principal through which the connector will login to that system.

  5. Configure the connector(s). Here is a sample configuration for the Storm-HBase connector:

    HBaseBolt hbase = new HBaseBolt("WordCount", mapper).withConfigKey("hbase.config");
    
    Map<String, Object> mapHbase = new HashMap<String,Object>(); 
    mapHbase.put("storm.keytab.file","/etc/security/keytabs/storm.service.keytab"); 
    mapHbase.put("storm.kerberos.principal","storm@TEST.HORTONWORKS.COM"); 
    
    Config config = new Config();
    config.put("hbase.config",mapHbase); 
    
    StormSubmitter.submitTopology("$topologyName",config,builder.createTopology());

[Important]Important

For the Storm-HBase connector, you must package hdfs-site.xml, core-site.xml, and hbase-site.xml (from your cluster configuration) in the topology .jar file.

In addition, include any other configuration files for HDP components used in your Storm topology, such as hive-site.xml. This fulfills the requirement that all related configuration files appear in the CLASSPATH of your Storm topology at runtime.