The Kerberos parameters for HBase are maintained in Hackolade as follows:
A Kerberos principal is a unique identity to which Kerberos can assign tickets.
Principals can have an arbitrary number of components. Each component is separated by a component separator, generally /. The last component is the realm, separated from the rest of the principal by the realm separator, generally @.
An example for a Kerberos Principal is: primary/instance@REALM.
A Kerberos Service Name is the name by which a client uniquely identifies an instance of a service.Typically, the service name for an instance is named hbase. Provide another name here if your HBase instance was set up with a different service name.
The service principal must be in the form: service@<hostname>. (Otherwise, if you only pass the hostname (also called fqdn - fully qualified domain name), it would default to HTTP@fqdn. And it would be resolved to the corresponding principal service/<hostname>@REALM by the GSS-API, which is not desirable, cfr this page.)
The minimum requirements to be able to connect with the Kerberos protocol are:
- Name of a host must always be the same as a computer host (hostname -f)
- Add to the "hbase-site.xml" the following parameters:
- All layers of Hadoop must be set up with Kerberos auth
- Yarn must be set up with SSL certificates
- Kerberos or Kerberos packages “krb5-admin-server” and “krb5-kdc” must be installed and run
- HBase REST service must be running REST should have administrative access. One can provide it by running HBASE command: grant 'rest_server', 'RWCA'
- Start Kerberos services:
- service krb5-admin-server start
- service krb5-kdc start
- Start HBase with Kerberos:
- Hadoop (dfs.sh, yarn.sh)
- Zookeeper (zkServer.sh)
- HBase (start-hbase.sh)
- HBase Rest (hbase rest start)
- Obtains and caches an initial ticket-granting ticket for principal:
- kinit hbase@EXAMPLE.COM (pass:<password>)
- klist - (check if ticket received)
- Check by curl request:
- curl -i --negotiate -u : http://<host>:<port>/version/cluster
- curl -i --negotiate -u : http://<host>:<port>/namespaces
For more information with Hortonworks installations, click here.