Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

HBase end-to-end over the wire encryption

Labels:
avatar
author-rank aervits
Master Mentor

Created ‎03-03-2017 07:16 PM

Need to know about:

  • 1.communication between RS can be encrypted
  • 2.hbase client to ZK
  • 3.phoenix jdbc client connection encryption
  • 4. within ZK znodes, is there any customer information that needs to be protected
2,302 Views
1 ACCEPTED SOLUTION

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 07:24 PM

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

View solution in original post

1,938 Views
5 REPLIES 5

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 07:24 PM

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

1,939 Views

avatar
author-rank amcbarnett
Guru

Created ‎03-03-2017 07:33 PM

#3.. In this case flume is connecting to HBase via Phoenix JDBC. So the question is if we need to do something for the JDBC connection to secure with SSL..

1,938 Views
0 Kudos

avatar
author-rank mqureshi
Super Guru

Created ‎03-03-2017 09:19 PM

@Ancil McBarnett

Looking at the documentation, the way I understand it is, that Phoenix JDBC driver uses HBase RPC mechanism and like @Josh Elser noted, that's already covered in the secure client side configuration. See this link and notice how JDBC client is actually connected to Zookeeper.

https://streever.atlassian.net/wiki/display/HADOOP/Phoenix+JDBC+Client+Setup

1,938 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-03-2017 09:39 PM

@Ancil McBarnett HBase doesn't use SSL to protect RPCs

1,938 Views
0 Kudos

avatar
author-rank Enis author-rank
Guru

Created ‎03-03-2017 10:47 PM

ZooKeeper has SSL with Netty. But I am not sure it is tested well. https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

@Josh, in case of HBase tokens, I think they are stored in ZK. Can this be a concern?

1,938 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements