Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HBase end-to-end over the wire encryption

Labels:
avatar
author-rank aervits
Master Mentor

Created ‎03-03-2017 07:16 PM

Need to know about:

  • 1.communication between RS can be encrypted
  • 2.hbase client to ZK
  • 3.phoenix jdbc client connection encryption
  • 4. within ZK znodes, is there any customer information that needs to be protected
2,969 Views
1 ACCEPTED SOLUTION

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 07:24 PM

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

View solution in original post

2,605 Views
5 REPLIES 5

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 07:24 PM

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

2,606 Views

avatar
author-rank amcbarnett
Guru

Created ‎03-03-2017 07:33 PM

#3.. In this case flume is connecting to HBase via Phoenix JDBC. So the question is if we need to do something for the JDBC connection to secure with SSL..

2,605 Views
0 Kudos

avatar
author-rank mqureshi
Super Guru

Created ‎03-03-2017 09:19 PM

@Ancil McBarnett

Looking at the documentation, the way I understand it is, that Phoenix JDBC driver uses HBase RPC mechanism and like @Josh Elser noted, that's already covered in the secure client side configuration. See this link and notice how JDBC client is actually connected to Zookeeper.

https://streever.atlassian.net/wiki/display/HADOOP/Phoenix+JDBC+Client+Setup

2,605 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 09:39 PM

@Ancil McBarnett HBase doesn't use SSL to protect RPCs

2,605 Views
0 Kudos

avatar
author-rank Enis author-rank
Guru

Created ‎03-03-2017 10:47 PM

ZooKeeper has SSL with Netty. But I am not sure it is tested well. https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

@Josh, in case of HBase tokens, I think they are stored in ZK. Can this be a concern?

2,605 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements