HBase can be configured to provide User Authentication, which ensures that only authorized users can communicate with HBase.  The authorization system is implemented at the RPC level, and is based on the Simple Authentication and Security Layer (SASL.)  Hackolade provides support for basic authentication.



Hackolade also supports the Kerberos mechanism. For more info on how to setup Kerberos in HBase, please consult this link and this useful article.


The Kerberos parameters for HBase are maintained in Hackolade as follows:



A Kerberos principal is a unique identity to which Kerberos can assign tickets.


Principals can have an arbitrary number of components. Each component is separated by a component separator, generally /. The last component is the realm, separated from the rest of the principal by the realm separator, generally @.


An example for a Kerberos Principal is: primary/instance@REALM.


A Kerberos Service Name is the name by which a client uniquely identifies an instance of a service.Typically, the service name for an instance is named hbase. Provide another name here if your HBase instance was set up with a different service name.


The service principal must be in the form: service@<hostname>. (Otherwise, if you only pass the hostname (also called fqdn - fully qualified domain name), it would default to HTTP@fqdn. And it would be resolved to the corresponding principal service/<hostname>@REALM by the GSS-API, which is not desirable, cfr this page.)


The minimum requirements to be able to connect with the Kerberos protocol are:

  • Name of a host must always be the same as a computer host (hostname -f)
  • Add to the "hbase-site.xml" the following parameters:
    <property>

             <name>hadoop.proxyuser.HTTP.groups</name>

             <value>*</value>

</property>

<property>

   <name>hadoop.proxyuser.HTTP.hosts</name>

   <value>*</value>

</property>


Instructions:

  1. Start Kerberos services:
    1. service krb5-admin-server start
    2. service krb5-kdc start
  2. Start HBase with Kerberos:
    1. Hadoop (dfs.sh, yarn.sh)
    2. Zookeeper (zkServer.sh)
    3. HBase (start-hbase.sh)
    4. HBase Rest (hbase rest start)
  3. Obtains and caches an initial ticket-granting ticket for principal:
    1. kinit hbase@EXAMPLE.COM (pass:<password>)
    2. klist - (check if ticket received)
  4. Check by curl request:
    1. curl -i --negotiate -u : http://<host>:<port>/version/cluster
    2. curl -i --negotiate -u : http://<host>:<port>/namespaces


For more information with Hortonworks installations, click here.