Database Reference
In-Depth Information
The access controller coprocessor is only implemented at the RPC level, and it is
based on the
Simple Authentication and Security Layer
(
SASL
); the SASL that
allows authentication, encryption negotiation, and/or message integrity veriication
on a per connection basis. To enable security in HBase, irst set
hbase.security.
authentication
as
true
. This property will enable the authentication only for
HBase. As HBase uses Hadoop Distributed File System as the storage layer,
hadoop.security.authentication
should also be set as
true
.
Enabling authentication
To enable authentication, perform the following steps:
1.
Add the following property to
hbase-site.xml
on every HBase server host
(Master or RegionServer) and HBase client host as follows:
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.rpc.engine</name> <value>org.apache.hadoop.hbase.
ipc.SecureRpcEngine
</value>
</property>
2.
For authentication, a
keytab
ile is required that contains a key used to get
authenticated to KDC. Use the syntax as
<username>/<fully.qualified.
domain.name>@<YOUR-REALM>
. It is preferred to use
hbase
as the user name.
3.
Create the HBase Kerberos service principal as:
kadmin: addprinc -randkey hbase/fully.qualified.domain.name@YOUR-
REALM.COM
4.
Create a
keytab
ile as:
kadmin: xst -k hbase.keytab hbase/fully.qualified.domain.name
