Kerberos

Authentication

 

Hackolade also supports the Kerberos authentication mechanism. For more info on how to setup Kerberos in HBase, please consult this link and this useful article.

 

The Kerberos parameters for HBase are maintained in Hackolade as follows:

 

 

A Kerberos principal is a unique identity to which Kerberos can assign tickets.

 

Principals can have an arbitrary number of components. Each component is separated by a component separator, generally /. The last component is the realm, separated from the rest of the principal by the realm separator, generally @.

 

An example for a Kerberos Principal is: primary/instance@REALM.

 

A Kerberos Service Name is the name by which a client uniquely identifies an instance of a service.Typically, the service name for an instance is named hbase. Provide another name here if your HBase instance was set up with a different service name.

 

The service principal must be in the form: service@<hostname>. (Otherwise, if you only pass the hostname (also called fqdn - fully qualified domain name), it would default to HTTP@fqdn. And it would be resolved to the corresponding principal service/<hostname>@REALM by the GSS-API, which is not desirable, cfr this page.)

 

The minimum requirements to be able to connect with the Kerberos protocol are:

• Name of a host must always be the same as a computer host (hostname -f)
• Add to the "hbase-site.xml" the following parameters:
  <property>

         <name>hadoop.proxyuser.HTTP.groups</name>

         <value>*</value>

</property>

<property>

    <name>hadoop.proxyuser.HTTP.hosts</name>

    <value>*</value>

</property>

• All layers of Hadoop must be set up with Kerberos auth
• Yarn must be set up with SSL certificates
• Kerberos or Kerberos packages “krb5-admin-server” and “krb5-kdc” must be installed and run
• HBase REST service must be running  REST should have administrative access. One can provide it by running HBASE command: grant 'rest_server', 'RWCA'
  https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation_rest_gateway

 

Instructions:

1. Start Kerberos services:

   1. service krb5-admin-server start
   2. service krb5-kdc start

2. Start HBase with Kerberos:

   1. Hadoop (dfs.sh, yarn.sh)
   2. Zookeeper (zkServer.sh)
   3. HBase (start-hbase.sh)
   4. HBase Rest (hbase rest start)

3. Obtains and caches an initial ticket-granting ticket for principal:

   1. kinit hbase@EXAMPLE.COM (pass:<password>)
   2. klist - (check if ticket received)

4. Check by curl request:

   1. curl -i --negotiate -u : http://<host>:<port>/version/cluster
   2. curl -i --negotiate -u : http://<host>:<port>/namespaces

 

For more information with Hortonworks installations, click here.