HBASE-7394 Document security config requirements from HBASE-7357 (Misty Stanley-Jones)
This commit is contained in:
parent
172c93029d
commit
8c43acfd45
|
@ -40,24 +40,40 @@
|
||||||
<para>This describes how to set up Apache HBase and clients for connection to secure HBase
|
<para>This describes how to set up Apache HBase and clients for connection to secure HBase
|
||||||
resources.</para>
|
resources.</para>
|
||||||
|
|
||||||
<section>
|
<section xml:id="security.prerequisites">
|
||||||
<title>Prerequisites</title>
|
<title>Prerequisites</title>
|
||||||
<para> You need to have a working Kerberos KDC. </para>
|
<variablelist>
|
||||||
<para> A HBase configured for secure client access is expected to be running on top of a
|
<varlistentry>
|
||||||
secured HDFS cluster. HBase must be able to authenticate to HDFS services. HBase needs
|
<term>Hadoop Authentication Configuration</term>
|
||||||
Kerberos credentials to interact with the Kerberos-enabled HDFS daemons. Authenticating a
|
<listitem>
|
||||||
service should be done using a keytab file. The procedure for creating keytabs for HBase
|
<para>To run HBase RPC with strong authentication, you must set
|
||||||
service is the same as for creating keytabs for Hadoop. Those steps are omitted here. Copy
|
<code>hbase.security.authentication</code> to <literal>true</literal>. In this case,
|
||||||
the resulting keytab files to wherever HBase Master and RegionServer processes are deployed
|
you must also set <code>hadoop.security.authentication</code> to
|
||||||
and make them readable only to the user account under which the HBase daemons will run. </para>
|
<literal>true</literal>. Otherwise, you would be using strong authentication for
|
||||||
<para> A Kerberos principal has three parts, with the form
|
HBase but not for the underlying HDFS, which would cancel out any benefit.</para>
|
||||||
<code>username/fully.qualified.domain.name@YOUR-REALM.COM</code>. We recommend using
|
</listitem>
|
||||||
<code>hbase</code> as the username portion. </para>
|
</varlistentry>
|
||||||
<para> The following is an example of the configuration properties for Kerberos operation that
|
|
||||||
must be added to the <code>hbase-site.xml</code> file on every server machine in the
|
<varlistentry>
|
||||||
cluster. Required for even the most basic interactions with a secure Hadoop configuration,
|
<term>Kerberos KDC</term>
|
||||||
independent of HBase security. </para>
|
<listitem>
|
||||||
<programlisting><![CDATA[
|
<para> You need to have a working Kerberos KDC. </para>
|
||||||
|
<para> A HBase configured for secure client access is expected to be running on top of a
|
||||||
|
secured HDFS cluster. HBase must be able to authenticate to HDFS services. HBase needs
|
||||||
|
Kerberos credentials to interact with the Kerberos-enabled HDFS daemons.
|
||||||
|
Authenticating a service should be done using a keytab file. The procedure for
|
||||||
|
creating keytabs for HBase service is the same as for creating keytabs for Hadoop.
|
||||||
|
Those steps are omitted here. Copy the resulting keytab files to wherever HBase Master
|
||||||
|
and RegionServer processes are deployed and make them readable only to the user
|
||||||
|
account under which the HBase daemons will run. </para>
|
||||||
|
<para> A Kerberos principal has three parts, with the form
|
||||||
|
<code>username/fully.qualified.domain.name@YOUR-REALM.COM</code>. We recommend using
|
||||||
|
<code>hbase</code> as the username portion. </para>
|
||||||
|
<para> The following is an example of the configuration properties for Kerberos
|
||||||
|
operation that must be added to the <code>hbase-site.xml</code> file on every server
|
||||||
|
machine in the cluster. Required for even the most basic interactions with a secure
|
||||||
|
Hadoop configuration, independent of HBase security. </para>
|
||||||
|
<programlisting><![CDATA[
|
||||||
<property>
|
<property>
|
||||||
<name>hbase.regionserver.kerberos.principal</name>
|
<name>hbase.regionserver.kerberos.principal</name>
|
||||||
<value>hbase/_HOST@YOUR-REALM.COM</value>
|
<value>hbase/_HOST@YOUR-REALM.COM</value>
|
||||||
|
@ -75,23 +91,30 @@
|
||||||
<value>/etc/hbase/conf/keytab.krb5</value>
|
<value>/etc/hbase/conf/keytab.krb5</value>
|
||||||
</property>
|
</property>
|
||||||
]]></programlisting>
|
]]></programlisting>
|
||||||
<para> Each HBase client user should also be given a Kerberos principal. This principal should
|
<para> Each HBase client user should also be given a Kerberos principal. This principal
|
||||||
have a password assigned to it (as opposed to a keytab file). The client principal's
|
should have a password assigned to it (as opposed to a keytab file). The client
|
||||||
<code>maxrenewlife</code> should be set so that it can be renewed enough times for the
|
principal's <code>maxrenewlife</code> should be set so that it can be renewed enough
|
||||||
HBase client process to complete. For example, if a user runs a long-running HBase client
|
times for the HBase client process to complete. For example, if a user runs a
|
||||||
process that takes at most 3 days, we might create this user's principal within
|
long-running HBase client process that takes at most 3 days, we might create this
|
||||||
<code>kadmin</code> with: <code>addprinc -maxrenewlife 3days</code>
|
user's principal within <code>kadmin</code> with: <code>addprinc -maxrenewlife
|
||||||
</para>
|
3days</code>
|
||||||
<para> Long running daemons with indefinite lifetimes that require client access to HBase can
|
</para>
|
||||||
instead be configured to log in from a keytab. For each host running such daemons, create a
|
<para> Long running daemons with indefinite lifetimes that require client access to
|
||||||
keytab with <code>kadmin</code> or <code>kadmin.local</code>. The procedure for creating
|
HBase can instead be configured to log in from a keytab. For each host running such
|
||||||
keytabs for HBase service is the same as for creating keytabs for Hadoop. Those steps are
|
daemons, create a keytab with <code>kadmin</code> or <code>kadmin.local</code>. The
|
||||||
omitted here. Copy the resulting keytab files to where the client daemon will execute and
|
procedure for creating keytabs for HBase service is the same as for creating keytabs
|
||||||
make them readable only to the user account under which the daemon will run. </para>
|
for Hadoop. Those steps are omitted here. Copy the resulting keytab files to where the
|
||||||
|
client daemon will execute and make them readable only to the user account under which
|
||||||
|
the daemon will run. </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Server-side Configuration for Secure Operation</title>
|
<title>Server-side Configuration for Secure Operation</title>
|
||||||
|
<para>First, refer to <xref linkend="security.prerequisites" /> and ensure that your
|
||||||
|
underlying HDFS configuration is secure.</para>
|
||||||
<para> Add the following to the <code>hbase-site.xml</code> file on every server machine in
|
<para> Add the following to the <code>hbase-site.xml</code> file on every server machine in
|
||||||
the cluster: </para>
|
the cluster: </para>
|
||||||
<programlisting><![CDATA[
|
<programlisting><![CDATA[
|
||||||
|
@ -114,6 +137,8 @@
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Client-side Configuration for Secure Operation</title>
|
<title>Client-side Configuration for Secure Operation</title>
|
||||||
|
<para>First, refer to <xref linkend="security.prerequisites" /> and ensure that your
|
||||||
|
underlying HDFS configuration is secure.</para>
|
||||||
<para> Add the following to the <code>hbase-site.xml</code> file on every client: </para>
|
<para> Add the following to the <code>hbase-site.xml</code> file on every client: </para>
|
||||||
<programlisting><![CDATA[
|
<programlisting><![CDATA[
|
||||||
<property>
|
<property>
|
||||||
|
|
Loading…
Reference in New Issue