Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Contributor

Short Description:

This sample code helps to connect to Kerberos enabled HBase cluster from Java program.

 

Code Walkthrough:

Create HBaseConfiguration and pass HBase cluster parameters.

 

Configuration hbaseConfig = HBaseConfiguration.create();
hbaseConfig.addResource("/path_to_hbase_conf/hbase-site.xml");
hbaseConfig.addResource("/path_to_hbase_conf/core-site.xml");
hbaseConfig.set("hadoop.security.authentication", "Kerberos");

 

User principal and key tab file names. Please make sure key tab files are in the respective folder.

 

String principal = System.getProperty("kerberosPrincipal", "hbaseuser@EXAMPLE.COM");
String keytab = System.getProperty("kerberosKeytab", "/path_to_keytab/hbase-client.keytab");

 

The essential Kerberos configuration information is the default realm and the default KDC. As with most Kerberos installations, a Kerberos configuration file krb5.conf is consulted to determine such things as the default realm and KDC. The default location is /etc/krb5.conf (Linux).

 

If the krb5.conf file is in a different location or you want to pass custom krb5.conf:

 

System.setProperty("java.security.krb5.conf","src/krb5.conf");

 

Login user from key tab file:

 

UserGroupInformation.setConfiguration(hbaseConfig);
UserGroupInformation.loginUserFromKeytab(principal, keytab);

 

Check the connection:

 

HBaseAdmin.checkHBaseAvailable(hbaseConfig);

 

Options to enable debug log:

 

System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
System.setProperty("java.security.debug", "logincontext,policy,scl,gssloginconfig");

 

Well, you are good to go now.

23,808 Views
0 Kudos
Comments

Why use _HOST as opposed to hdp1.field.hortonworks.com?

Is this to handle failovers?

Why the difference _HOST and hdp1.field.hortonworks.com for PRINCIPAL?

This:

  1. configuration.set("hbase.master.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");
  2. configuration.set("hbase.regionserver.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");

Vs this:

  1. String principal =System.getProperty("kerberosPrincipal","hbase/hdp1.field.hortonworks.com@FIELD.HORTONWORKS.COM");

Do we have to manually add actual hostname in place of _HOST here

configuration.set("hbase.regionserver.kerberos.principal","hbase/_HOST@FIELD.HORTONWORKS.COM");

// this is needed even if you connect over rpc/zookeeper
configuration.set("hbase.master.kerberos.principal", "hbase/_HOST@FIELD.HORTONWORKS.COM"); 
configuration.set("hbase.master.keytab.file", "src/hbase.service.keytab");

This seems like a security risk to hand over the HBase keytab to users. How would you set this code up to run in a secured environment? ie: you have multiple tenants accessing HBase. I wouldn't think that this would be a good security practice.

@getschwifty  Please refer to latest documentation on setting up HBase Client account. Use the client account principle and key tab files from Java application. You will also have to adjust the HBase native ACLs or Ranger policies to allow the user/tenants to access tenant-specific HBase resources.

 

avatar
Contributor

Hi @kramalingam , Thanks, but that's not what I'm asking. I already have a kerberos user with access to HBase. I'm asking about the specific code I listed above that states using the HBase keytab. I would have thought that that was a major security risk in a multi-tenant environment. That code also seems to include user config as well, which is doubly confusing:

 

UserGroupInformation.setConfiguration(configuration);
UserGroupInformation.loginUserFromKeytab(principal, keytabLocation); 

Why do you need the HBase keytab and a user keytab?

@getschwifty Revised the article to reflect the best practices. try it out and see if that helps you. thanks for your valuable feedback.

Thanks @kramalingam !