Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

HOWTO: Start and test HBase REST server in a kerberized environment

Labels (1)
Labels:
avatar
author-rank awhitter
Guru

Created on ‎03-28-2017 08:44 AM

Assuming you start with a kerberized HDP cluster with Hbase installed.

First check what your hbase service principal is i.e.

klist -kt /etc/security/keytabs/hbase.service.keytab
Keytab name: FILE:hbase.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM

In Ambari head to Hbase -> Configs -> Advanced -> Custom Hbase-Site.xml and add the following new parameters with the keytab / principal substituted for your environment. If they already exist for your cluster set the values as indicated:

hbase.rest.authentication.type=kerberos
hbase.master.kerberos.principal=hbase/_HOST@HDP.COM
hbase.master.keytab.file=/etc/security/keytabs/hbase.service.keytab
hadoop.proxyuser.HTTP.groups=*
hadoop.proxyuser.HTTP.hosts=*
hbase.security.authorization=true
hbase.rest.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
hbase.rest.authentication.kerberos.principal=HTTP/_HOST@HDP.COM
hbase.security.authentication=kerberos
hbase.rest.kerberos.principal=hbase/_HOST@HDP.COM
hbase.rest.keytab.file=/etc/security/keytabs/hbase.service.keytab

In Ambari -> HDFS, confirm that the following are set and if not add them to 'Custom core-site.xml'

hadoop.proxyuser.HTTP.groups=*
hadoop.proxyuser.HTTP.hosts=*

Restart the affected HBase & HDFS services.

On the command line on the HBase master, kinit with the service keytab and start the REST server:

su - hbase
kinit -kt hbase.service.keytab hbase/hdp253k1.hdp@HDP.COM
/usr/hdp/current/hbase-master/bin/hbase-daemon.sh start rest -p 17000 --infoport 17050

Test the REST server without / with a ticket as follows:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# curl --negotiate -u : 'http://hdp253k1.hdp:17000/status/cluster'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>

# kinit -kt hbase.service.keytab hbase/hdp253k1.hdp@HDP.COM
# curl --negotiate -u : 'http://aw253k1:17000/status/cluster'
3 live servers, 0 dead servers, 10.6667 average load

3 live servers
    hdp253k1.hdp:16020 1490688381983
        requests=0, regions=11
        heapSizeMB=120        maxHeapSizeMB=502
5,901 Views
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements
Version history
Last update:
‎03-28-2017 08:44 AM
Updated by:
Guru
Contributors