Cloudera Docs » 2.4.3 » Hadoop Security Guide
Hadoop Security Guide
Also available as:
PDF
loading table of contents...
hbase-site.xml

For HBase to run on a secured cluster, HBase must be able to authenticate itself to HDFS. Add the following information to the hbase-site.xml file on your HBase server. There are no default values; the following are only examples:

Table 2.15. hbase-site.xml Property Settings for HBase Server

Property Name

Property Value

Description

hbase.master.keytab.file

/etc/security/keytabs/hm.service.keytab

The keytab for the HMaster service principal.

hbase.master.kerberos.principal

hm/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HMaster process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.regionserver.keytab.file

/etc/security/keytabs/hbase.service.keytab

The keytab for the HRegionServer service principal.

hbase.regionserver.kerberos.principal

hbase/_HOST@EXAMPLE.COM

The Kerberos principal name that should be used to run the HRegionServer process. If _HOST is used as the hostname portion, it will be replaced with the actual hostname of the running instance.

hbase.superuser

hbase

A comma-separated list of users or groups that are allowed full privileges, regardless of stored ACLs, across the cluster. Only used when HBase security is enabled.

hbase.coprocessor.region.classes

Setting 1:org.apache.hadoop.hbase.

security.token.TokenProvider,

Setting 2:org.apache.hadoop.hbase.

security.access.SecureBulkLoadEndpoint,

Setting 3:org.apache.hadoop.hbase.

security.access.AccessController

A comma-separated list of coprocessors that are loaded by default on all tables. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own coprocessor, add the class to HBase's classpath and add the fully qualified class name here. Coprocessors can also be loaded programmatically using HTableDescriptor.

hbase.coprocessor.master.classes

org.apache.hadoop.hbase.security.

access.AccessController

A comma-separated list of MasterObserver coprocessors that are loaded by by the active HMaster process. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own MasterObserver, add the class to HBase's classpath and add the fully qualified class name here.

hbase.coprocessor.regionserver.classes

org.apache.hadoop.hbase.security.

access.AccessController

 A comma-separated list of RegionServerObserver coprocessors that are loaded by the HRegionServer processes. For any implemented coprocessor methods, the listed classes will be called in order. After implementing your own RegionServerObserver, add the class to the HBase classpath and fully qualified class name here.
phoenix.queryserver.kerberos.principalhbase/_HOST@EXAMPLE.COMThe Kerberos principal for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed.
phoenix.queryserver.keytab.file/etc/security/keytabs/hbase.service.keytabThe path to the Kerberos keytab file for the Phoenix Query Server process. The Phoenix Query Server is an optional component; this property only needs to be set when the query server is installed.

Following is the XML for these entries:

<property> 
     <name>hbase.master.keytab.file</name> 
     <value>/etc/security/keytabs/hbase.service.keytab</value> 
     <description>Full path to the kerberos keytab file to use for logging
     in the configured HMaster server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.master.kerberos.principal</name> 
     <value>hm/_HOST@EXAMPLE.COM</value> 
      <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The Kerberos principal name that should be used to run the HMaster 
     process. The principal name should be in the form: user/hostname@DOMAIN. 
     If "_HOST" is used as the hostname portion, it will be replaced with
     the actual hostname of the running instance.
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.keytab.file</name> 
     <value>/etc/security/keytabs/hbase.service.keytab</value> 
     <description>Full path to the kerberos keytab file to use for logging
     in the configured HRegionServer server principal. 
     </description> 
</property> 
 
<property> 
     <name>hbase.regionserver.kerberos.principal</name> 
     <value>hbase/_HOST@EXAMPLE.COM</value> 
     <description>Ex. "hbase/_HOST@EXAMPLE.COM". 
     The kerberos principal name that
     should be used to run the HRegionServer process. The
     principal name should be in the form: 
     user/hostname@DOMAIN. If _HOST
     is used as the hostname portion, it will be replaced 
     with the actual hostname of the running
     instance. An entry for this principal must exist
     in the file specified in hbase.regionserver.keytab.file 
     </description> 
</property> 
 
<!--Additional configuration specific to HBase security -->
 
<property> 
     <name>hbase.superuser</name> 
     <value>hbase</value> 
     <description>List of users or groups (comma-separated), who are
     allowed full privileges, regardless of stored ACLs, across the cluster.
     Only used when HBase security is enabled. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.region.classes</name> 
     <value>org.apache.hadoop.hbase.security.token.TokenProvider,
     org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,
     org.apache.hadoop.hbase.security.access.AccessController</value> 
     <description>A comma-separated list of coprocessors that are loaded
     by default on all tables. For any override coprocessor method, 
     these classes will be called in order. After implementing your 
     own coprocessor, just put it in HBase's classpath and add the 
     fully qualified class name here. A coprocessor can also be loaded on 
     demand by setting HTableDescriptor. 
     </description> 
</property> 
 
<property> 
     <name>hbase.coprocessor.master.classes</name> 
     <value>org.apache.hadoop.hbase.security.access.AccessController</value> 
     <description>A comma-separated list of MasterObserver coprocessors that
     are loaded by by the active HMaster process. For any implemented coprocessor
     methods, the listed classes will be called in order. After implementing your
     own MasterObserver, add the class to HBase's classpath and add the fully
     qualified class name here.  
     </description> 
</property>

<property>
    <name>hbase.coprocessor.regionserver.classes</name>
    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    <description>A comma-separated list of RegionServerObserver coprocessors
    that are loaded by the HRegionServer processes. For any implemented 
    coprocessor methods, the listed classes will be called in order. After 
    implementing your own RegionServerObserver, add the class to the HBase 
    classpath and fully qualified class name here.
    </description>
</property>

<property>
    <name>phoenix.queryserver.kerberos.principal</name>
    <value>hbase/_HOST@EXAMPLE.COM</value>
    <description>The Kerberos principal for the Phoenix Query Server 
    process. The Phoenix Query Server is an optional component; this 
    property only needs to be set when the query server is installed.
    </description>
</property>

<property>
    <name>phoenix.queryserver.keytab.file</name>
    <value>/etc/security/keytabs/hbase.service.keytab</value>
    <description>The path to the Kerberos keytab file for the 
    Phoenix Query Server process. The Phoenix Query Server is an optional 
    component; this property only needs to be set when the query server 
    is installed.</description>
</property>
© 2012–2021 by Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community