Support Questions

Find answers, ask questions, and share your expertise

HBase end-to-end over the wire encryption

avatar
Master Mentor

Need to know about:

  • 1.communication between RS can be encrypted
  • 2.hbase client to ZK
  • 3.phoenix jdbc client connection encryption
  • 4. within ZK znodes, is there any customer information that needs to be protected
1 ACCEPTED SOLUTION

avatar
Super Guru

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

View solution in original post

5 REPLIES 5

avatar
Super Guru

#1 See https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation. Set hbase.rpc.protection=true

#2 There is no sensitive data that clients read out of ZooKeeper.

#3 I don't know this means. Phoenix uses HBase's RPC mechanism which is already encompassed by #1

#4 No, but HBase already sets up ACLs to protect all information that users should not see/modify. Table data is not stored in ZooKeeper.

avatar

#3.. In this case flume is connecting to HBase via Phoenix JDBC. So the question is if we need to do something for the JDBC connection to secure with SSL..

avatar
Super Guru

@Ancil McBarnett

Looking at the documentation, the way I understand it is, that Phoenix JDBC driver uses HBase RPC mechanism and like @Josh Elser noted, that's already covered in the secure client side configuration. See this link and notice how JDBC client is actually connected to Zookeeper.

https://streever.atlassian.net/wiki/display/HADOOP/Phoenix+JDBC+Client+Setup

avatar
Super Guru

@Ancil McBarnett HBase doesn't use SSL to protect RPCs

avatar
Guru

ZooKeeper has SSL with Netty. But I am not sure it is tested well. https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide

@Josh, in case of HBase tokens, I think they are stored in ZK. Can this be a concern?