Set up client account
Follow these steps to provision a kerberos account for the client and grant permissions to that account in HBase, so that you can create, read and write tables.
- Log in to KDC.
- Switch to root directory.
$ sudo kadmin.local kadmin.local: addprinc myself WARNING: no policy specified for myself@EXAMPLE.COM; defaulting to no policy Enter password for principal "myself@EXAMPLE.COM": Re-enter password for principal "myself@EXAMPLE.COM": Principal "myself@EXAMPLE.COM" created. kadmin.local: xst -k /etc/security/keytabs/myself.keytab -norandkey myself Entry for principal myself with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/myself.keytab. Entry for principal myself with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/myself.keytab.
- Copy the keytab file to the conf directory.
Grant permissions in HBase. For more information, See Configure HBase for
Access Control Lists (ACL).
klist -k /etc/security/keytabs/hbase.headless.keytabOptional step: You should secure the keytab file so that only the HBase process has access to the keytab. This can be accomplished by running a command.
$>sudo chmod 700 /etc/security/keytabs/hbase.headless.keytab
$ kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase $ hbase shell hbase(main):001:0> status 1 active master, 0 backup masters, 4 servers, 1 dead, 1.2500 average load
- Authorize admin permissions to the user. You can also customize this to restrict this account for minimal access. For more information see, http://hbase.apache.org/0.94/book/hbase.accesscontrol.configuration.html#d1984e4744
hbase(main):001:0> grant 'myself', 'C'