HBASE-7394 Document security config requirements from HBASE-7357 (Misty Stanley-Jones)

This commit is contained in:
Michael Stack 2014-06-08 17:23:17 -07:00
parent 172c93029d
commit 8c43acfd45
1 changed files with 55 additions and 30 deletions

View File

@ -40,24 +40,40 @@
<para>This describes how to set up Apache HBase and clients for connection to secure HBase <para>This describes how to set up Apache HBase and clients for connection to secure HBase
resources.</para> resources.</para>
<section> <section xml:id="security.prerequisites">
<title>Prerequisites</title> <title>Prerequisites</title>
<para> You need to have a working Kerberos KDC. </para> <variablelist>
<para> A HBase configured for secure client access is expected to be running on top of a <varlistentry>
secured HDFS cluster. HBase must be able to authenticate to HDFS services. HBase needs <term>Hadoop Authentication Configuration</term>
Kerberos credentials to interact with the Kerberos-enabled HDFS daemons. Authenticating a <listitem>
service should be done using a keytab file. The procedure for creating keytabs for HBase <para>To run HBase RPC with strong authentication, you must set
service is the same as for creating keytabs for Hadoop. Those steps are omitted here. Copy <code>hbase.security.authentication</code> to <literal>true</literal>. In this case,
the resulting keytab files to wherever HBase Master and RegionServer processes are deployed you must also set <code>hadoop.security.authentication</code> to
and make them readable only to the user account under which the HBase daemons will run. </para> <literal>true</literal>. Otherwise, you would be using strong authentication for
<para> A Kerberos principal has three parts, with the form HBase but not for the underlying HDFS, which would cancel out any benefit.</para>
<code>username/fully.qualified.domain.name@YOUR-REALM.COM</code>. We recommend using </listitem>
<code>hbase</code> as the username portion. </para> </varlistentry>
<para> The following is an example of the configuration properties for Kerberos operation that
must be added to the <code>hbase-site.xml</code> file on every server machine in the <varlistentry>
cluster. Required for even the most basic interactions with a secure Hadoop configuration, <term>Kerberos KDC</term>
independent of HBase security. </para> <listitem>
<programlisting><![CDATA[ <para> You need to have a working Kerberos KDC. </para>
<para> A HBase configured for secure client access is expected to be running on top of a
secured HDFS cluster. HBase must be able to authenticate to HDFS services. HBase needs
Kerberos credentials to interact with the Kerberos-enabled HDFS daemons.
Authenticating a service should be done using a keytab file. The procedure for
creating keytabs for HBase service is the same as for creating keytabs for Hadoop.
Those steps are omitted here. Copy the resulting keytab files to wherever HBase Master
and RegionServer processes are deployed and make them readable only to the user
account under which the HBase daemons will run. </para>
<para> A Kerberos principal has three parts, with the form
<code>username/fully.qualified.domain.name@YOUR-REALM.COM</code>. We recommend using
<code>hbase</code> as the username portion. </para>
<para> The following is an example of the configuration properties for Kerberos
operation that must be added to the <code>hbase-site.xml</code> file on every server
machine in the cluster. Required for even the most basic interactions with a secure
Hadoop configuration, independent of HBase security. </para>
<programlisting><![CDATA[
<property> <property>
<name>hbase.regionserver.kerberos.principal</name> <name>hbase.regionserver.kerberos.principal</name>
<value>hbase/_HOST@YOUR-REALM.COM</value> <value>hbase/_HOST@YOUR-REALM.COM</value>
@ -75,23 +91,30 @@
<value>/etc/hbase/conf/keytab.krb5</value> <value>/etc/hbase/conf/keytab.krb5</value>
</property> </property>
]]></programlisting> ]]></programlisting>
<para> Each HBase client user should also be given a Kerberos principal. This principal should <para> Each HBase client user should also be given a Kerberos principal. This principal
have a password assigned to it (as opposed to a keytab file). The client principal's should have a password assigned to it (as opposed to a keytab file). The client
<code>maxrenewlife</code> should be set so that it can be renewed enough times for the principal's <code>maxrenewlife</code> should be set so that it can be renewed enough
HBase client process to complete. For example, if a user runs a long-running HBase client times for the HBase client process to complete. For example, if a user runs a
process that takes at most 3 days, we might create this user's principal within long-running HBase client process that takes at most 3 days, we might create this
<code>kadmin</code> with: <code>addprinc -maxrenewlife 3days</code> user's principal within <code>kadmin</code> with: <code>addprinc -maxrenewlife
</para> 3days</code>
<para> Long running daemons with indefinite lifetimes that require client access to HBase can </para>
instead be configured to log in from a keytab. For each host running such daemons, create a <para> Long running daemons with indefinite lifetimes that require client access to
keytab with <code>kadmin</code> or <code>kadmin.local</code>. The procedure for creating HBase can instead be configured to log in from a keytab. For each host running such
keytabs for HBase service is the same as for creating keytabs for Hadoop. Those steps are daemons, create a keytab with <code>kadmin</code> or <code>kadmin.local</code>. The
omitted here. Copy the resulting keytab files to where the client daemon will execute and procedure for creating keytabs for HBase service is the same as for creating keytabs
make them readable only to the user account under which the daemon will run. </para> for Hadoop. Those steps are omitted here. Copy the resulting keytab files to where the
client daemon will execute and make them readable only to the user account under which
the daemon will run. </para>
</listitem>
</varlistentry>
</variablelist>
</section> </section>
<section> <section>
<title>Server-side Configuration for Secure Operation</title> <title>Server-side Configuration for Secure Operation</title>
<para>First, refer to <xref linkend="security.prerequisites" /> and ensure that your
underlying HDFS configuration is secure.</para>
<para> Add the following to the <code>hbase-site.xml</code> file on every server machine in <para> Add the following to the <code>hbase-site.xml</code> file on every server machine in
the cluster: </para> the cluster: </para>
<programlisting><![CDATA[ <programlisting><![CDATA[
@ -114,6 +137,8 @@
<section> <section>
<title>Client-side Configuration for Secure Operation</title> <title>Client-side Configuration for Secure Operation</title>
<para>First, refer to <xref linkend="security.prerequisites" /> and ensure that your
underlying HDFS configuration is secure.</para>
<para> Add the following to the <code>hbase-site.xml</code> file on every client: </para> <para> Add the following to the <code>hbase-site.xml</code> file on every client: </para>
<programlisting><![CDATA[ <programlisting><![CDATA[
<property> <property>