Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HBase end-to-end over the wire encryption

Solved Go to solution

HBase end-to-end over the wire encryption

Mentor

Need to know about:

  • 1.communication between RS can be encrypted
  • 2.hbase client to ZK
  • 3.phoenix jdbc client connection encryption
  • 4. within ZK znodes, is there any customer information that needs to be protected
1 ACCEPTED SOLUTION

Accepted Solutions

Re: HBase end-to-end over the wire encryption

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

5 REPLIES 5

Re: HBase end-to-end over the wire encryption

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

Re: HBase end-to-end over the wire encryption

#3.. In this case flume is connecting to HBase via Phoenix JDBC. So the question is if we need to do something for the JDBC connection to secure with SSL..

Re: HBase end-to-end over the wire encryption

Super Guru

@Ancil McBarnett

Looking at the documentation, the way I understand it is, that Phoenix JDBC driver uses HBase RPC mechanism and like @Josh Elser noted, that's already covered in the secure client side configuration. See this link and notice how JDBC client is actually connected to Zookeeper.

https://streever.atlassian.net/wiki/display/HADOOP/Phoenix+JDBC+Client+Setup

Re: HBase end-to-end over the wire encryption

@Ancil McBarnett HBase doesn't use SSL to protect RPCs

Highlighted

Re: HBase end-to-end over the wire encryption

Guru

ZooKeeper has SSL with Netty. But I am not sure it is tested well. https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

@Josh, in case of HBase tokens, I think they are stored in ZK. Can this be a concern?