Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Connecting to Kerberos secured HBase cluster from Java application

Labels (1)
Labels:
avatar
author-rank kramalingam author-rank
Contributor

Created on ‎08-04-2017 09:08 PM - edited ‎05-13-2020 12:23 AM

Short Description:

This sample code helps to connect to Kerberos enabled HBase cluster from Java program.

 

Code Walkthrough:

Create HBaseConfiguration and pass HBase cluster parameters.

 

Configuration hbaseConfig = HBaseConfiguration.create();
hbaseConfig.addResource("/path_to_hbase_conf/hbase-site.xml");
hbaseConfig.addResource("/path_to_hbase_conf/core-site.xml");
hbaseConfig.set("hadoop.security.authentication", "Kerberos");

 

User principal and key tab file names. Please make sure key tab files are in the respective folder.

 

String principal = System.getProperty("kerberosPrincipal", "hbaseuser@EXAMPLE.COM");
String keytab = System.getProperty("kerberosKeytab", "/path_to_keytab/hbase-client.keytab");

 

The essential Kerberos configuration information is the default realm and the default KDC. As with most Kerberos installations, a Kerberos configuration file krb5.conf is consulted to determine such things as the default realm and KDC. The default location is /etc/krb5.conf (Linux).

 

If the krb5.conf file is in a different location or you want to pass custom krb5.conf:

 

System.setProperty("java.security.krb5.conf","src/krb5.conf");

 

Login user from key tab file:

 

UserGroupInformation.setConfiguration(hbaseConfig);
UserGroupInformation.loginUserFromKeytab(principal, keytab);

 

Check the connection:

 

HBaseAdmin.checkHBaseAvailable(hbaseConfig);

 

Options to enable debug log:

 

System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("java.security.debug", "logincontext,policy,scl,gssloginconfig");

 

Well, you are good to go now.

23,256 Views
0 Kudos
Comments

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank rakila
Explorer

Created on ‎06-27-2018 01:36 AM

Why use _HOST as opposed to hdp1.field.hortonworks.com?

Is this to handle failovers?

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank rakila
Explorer

Created on ‎06-28-2018 06:40 PM

Why the difference _HOST and hdp1.field.hortonworks.com for PRINCIPAL?

This:

  1. configuration.set("hbase.master.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");
  2. configuration.set("hbase.regionserver.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");

Vs this:

  1. String principal =System.getProperty("kerberosPrincipal","hbase/hdp1.field.hortonworks.com@FIELD.HORTONWORKS.COM");

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank ankita_ghate
Explorer

Created on ‎11-23-2018 06:10 AM

Do we have to manually add actual hostname in place of _HOST here

configuration.set("hbase.regionserver.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank getschwifty
Contributor

Created on ‎05-11-2020 05:12 PM 

// this is needed even if you connect over rpc/zookeeper
configuration.set("hbase.master.kerberos.principal", "hbase/_HOST@FIELD.HORTONWORKS.COM"); 
configuration.set("hbase.master.keytab.file", "src/hbase.service.keytab");

This seems like a security risk to hand over the HBase keytab to users. How would you set this code up to run in a secured environment? ie: you have multiple tenants accessing HBase. I wouldn't think that this would be a good security practice.

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank kramalingam author-rank
Contributor

Created on ‎05-12-2020 08:17 AM

@getschwifty  Please refer to latest documentation on setting up HBase Client account. Use the client account principle and key tab files from Java application. You will also have to adjust the HBase native ACLs or Ranger policies to allow the user/tenants to access tenant-specific HBase resources.

 

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank getschwifty
Contributor

Created on ‎05-12-2020 05:11 PM - edited ‎05-12-2020 05:13 PM

Hi @kramalingam , Thanks, but that's not what I'm asking. I already have a kerberos user with access to HBase. I'm asking about the specific code I listed above that states using the HBase keytab. I would have thought that that was a major security risk in a multi-tenant environment. That code also seems to include user config as well, which is doubly confusing:

 

UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(principal, keytabLocation);

Why do you need the HBase keytab and a user keytab?

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank kramalingam author-rank
Contributor

Created on ‎05-13-2020 12:22 AM

@getschwifty Revised the article to reflect the best practices. try it out and see if that helps you. thanks for your valuable feedback.

Re: Connecting to Kerberos secured HBase cluster from Java application

avatar
author-rank getschwifty
Contributor

Created on ‎05-13-2020 10:15 PM

Thanks @kramalingam !

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎05-13-2020 12:23 AM
Updated by:
Contributor Contributor
Contributors