Configure Secure Client-Side Access for HBase
How to configure secure client-side access for HBase when setting up Kerberos for non-Ambari clusters.
Provide a Kerberos principal to the HBase client user using the instructions
provided in “Creating Service Principals and Keytab Files for HDP”.
Option Steps Provide Kerberos principal to normal HBase clients.
For normal HBase clients, Hortonworks recommends setting up a password to the principal.
The client principal's
maxrenewlifeshould be set high enough so that it allows enough time for the HBase client process to complete. Client principals are not renewed automatically.
For example, if a user runs a long-running HBase client process that takes at most three days, we might create this user's principal within kadmin with the following command:
addprinc -maxrenewlife 3days
Provide Kerberos principal to long running HBase clients.
Set-up a keytab file for the principal and copy the resulting keytab files to where the client daemon will execute.
Ensure that you make this file readable only to the user account under which the daemon will run.
On every HBase client, add the following properties to the
<property> <name>hbase.security.authentication</name> <value>kerberos</value> </property>Note
The client environment must be logged in to Kerberos from KDC or keytab via the
kinitcommand before communication with the HBase cluster is possible. Note that the client will not be able to communicate with the cluster if the
hbase.security.authenticationproperty in the client- and server-side site files fails to match.
<property> <name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> </property>