Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)

Assuming you start with a kerberized HDP cluster with Hbase installed.

First check what your hbase service principal is i.e.

klist -kt /etc/security/keytabs/hbase.service.keytab
Keytab name: FILE:hbase.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM
   2 12/20/16 13:51:21 hbase/hdp253k1.hdp@HDP.COM

In Ambari head to Hbase -> Configs -> Advanced -> Custom Hbase-Site.xml and add the following new parameters with the keytab / principal substituted for your environment. If they already exist for your cluster set the values as indicated:

hbase.rest.authentication.type=kerberos
hbase.master.kerberos.principal=hbase/_HOST@HDP.COM
hbase.master.keytab.file=/etc/security/keytabs/hbase.service.keytab
hadoop.proxyuser.HTTP.groups=*
hadoop.proxyuser.HTTP.hosts=*
hbase.security.authorization=true
hbase.rest.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab
hbase.rest.authentication.kerberos.principal=HTTP/_HOST@HDP.COM
hbase.security.authentication=kerberos
hbase.rest.kerberos.principal=hbase/_HOST@HDP.COM
hbase.rest.keytab.file=/etc/security/keytabs/hbase.service.keytab

In Ambari -> HDFS, confirm that the following are set and if not add them to 'Custom core-site.xml'

hadoop.proxyuser.HTTP.groups=*
hadoop.proxyuser.HTTP.hosts=*

Restart the affected HBase & HDFS services.

On the command line on the HBase master, kinit with the service keytab and start the REST server:

su - hbase
kinit -kt hbase.service.keytab hbase/hdp253k1.hdp@HDP.COM
/usr/hdp/current/hbase-master/bin/hbase-daemon.sh start rest -p 17000 --infoport 17050

Test the REST server without / with a ticket as follows:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# curl --negotiate -u : 'http://hdp253k1.hdp:17000/status/cluster'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>

# kinit -kt hbase.service.keytab hbase/hdp253k1.hdp@HDP.COM
# curl --negotiate -u : 'http://aw253k1:17000/status/cluster'
3 live servers, 0 dead servers, 10.6667 average load

3 live servers
    hdp253k1.hdp:16020 1490688381983
        requests=0, regions=11
        heapSizeMB=120        maxHeapSizeMB=502
3,688 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎03-28-2017 08:44 AM
Updated by:
 
Contributors
Top Kudoed Authors