Apache Hadoop High Availability
Also available as:
PDF
loading table of contents...

Setting Up HBase Replication Among Kerberos Secured Clusters

HBase replication supports Kerberos, if you want to ensure secure communication between two clusters.

Prerequisite

You have configured HBase replication in two separate clusters.

Prior to configuring secure HBase, you must configure cross realm authentication for Kerberos, ZooKeeper, and Apache Hadoop.

  1. Create krbtgt principals for the two realms.

    For example, if you have two realms called HDP1.COM and HDP2.COM, the realms must share a key. In this case, you add the following principles in both the realms:

    krbtgt/HDP1.COM@HDP2.COM and krbtgt/HDP2.COM@HDP1.COM

    There must be at least one common encryption mode between these two realms:

    HDP1 Cluster
              kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM
              kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM
    HDP2 Cluster
              kadmin.local:addprinc krbtgt/HDP1.COM@HDP2.COM
              kadmin.local:addprinc krbtgt/HDP2.COM@HDP1.COM 
    [Note]Note

    To ensure, there is at least one common encryption mode between the realms, you can use the -e option in addprinc to specify the list of encryption types. Refer to the “Supported Encryption Types” in mit kerberos manual in your deployment to view all possible options.

    kadmin.local:addprinc -e "<enc_type_list >" krbtgt/HDP1.COM@HDP2.COM

  2. Add rules in the slave ZooKeeper to create short names based on the incoming principal.

    To do this, add a system level property in java.env, as defined in the conf directory.

    • On the HDP1 cluster, add support for the realm called HDP2.COM, and have two members in the principal (such as service/instance@HDP2.com):

      -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT
    • On the HDP2 cluster, add support for the realm called HDP1.COM, and have two members in the principal (such as service/instance@HDP1.com):

      -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT

    The DEFAULT value defines the default rule.

  3. Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the replica cluster.

    • On the HDP1 cluster, add the following:

      <property>
       <name>hadoop.security.auth_to_local</name>
       <value>
       RULE:[2:\$1@\$0](.*@\\QHDP2.COM\\E$)s/@\\QHDP2.COM\\E$//DEFAULT
       </value>
    • On the HDP2 cluster, add the following:

      <property>
       <name>hadoop.security.auth_to_local</name>
       <value>
       RULE:[2:\$1@\$0](.*@\\QHDP1.COM\\E$)s/@\\QHDP1.COM\\E$//DEFAULT
       </value>
  4. Follow the instructions in ​Managing and Configuring HBase Cluster Replication section to complete the replication process.