Kerberos for HBase

Step-by-Step Guide to Set Up Kerberos for HBase on Cloudera (CDH).

Posted by Aravind Nuthalapati on January 31, 2018

This Article helps setting up Kerberos for HBase on CDH Clusters.

Prerequisites

Cloudera Manager and CDH installed and running.
MIT Kerberos server installed and operational.
Administrator access to Kerberos KDC, Cloudera Manager, and cluster nodes.

Step 1: Install and Configure Kerberos (KDC)

Install Kerberos packages on KDC host:
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

Edit /etc/krb5.conf:

[libdefaults]
 default_realm = YOUR.REALM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 YOUR.REALM.COM = {
   kdc = kerberos-server.yourdomain.com
   admin_server = kerberos-server.yourdomain.com
 }

[domain_realm]
 .yourdomain.com = YOUR.REALM.COM
 yourdomain.com = YOUR.REALM.COM

Edit /var/kerberos/krb5kdc/kdc.conf:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 YOUR.REALM.COM = {
  database_name = /var/kerberos/krb5kdc/principal
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  max_life = 10h
  max_renewable_life = 7d
 }

Create Kerberos database:

kdb5_util create -s

Start and enable Kerberos services:

systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin

Step 2: Create Kerberos Principals

Log in to Kerberos admin interface:

kadmin.local

Create principals:

addprinc -randkey hbase/_HOST@YOUR.REALM.COM
addprinc -randkey hdfs/_HOST@YOUR.REALM.COM
addprinc -randkey HTTP/_HOST@YOUR.REALM.COM
addprinc -randkey zookeeper/_HOST@YOUR.REALM.COM

Step 3: Generate Keytabs and Distribute

Generate keytabs:

xst -k hbase.keytab hbase/_HOST@YOUR.REALM.COM
xst -k hdfs.keytab hdfs/_HOST@YOUR.REALM.COM
xst -k http.keytab HTTP/_HOST@YOUR.REALM.COM
xst -k zk.keytab zookeeper/_HOST@YOUR.REALM.COM

Securely copy keytabs to cluster nodes:

scp *.keytab user@node:/etc/security/keytabs/

Set permissions on nodes:

chown root:hadoop /etc/security/keytabs/*.keytab
chmod 440 /etc/security/keytabs/*.keytab

Step 4: Configure Cloudera Manager for Kerberos

In Cloudera Manager UI, go to Administration → Security → Kerberos and enable Kerberos authentication. Enter the required KDC details and let Cloudera Manager deploy keytabs automatically.

Step 5: Configure HBase for Kerberos

In Cloudera Manager, configure HBase to use Kerberos by setting:

hbase.regionserver.kerberos.principal = hbase/_HOST@YOUR.REALM.COM
hbase.regionserver.keytab.file = /etc/security/keytabs/hbase.keytab
hbase.master.kerberos.principal = hbase/_HOST@YOUR.REALM.COM
hbase.master.keytab.file = /etc/security/keytabs/hbase.keytab

Step 6: Validate Kerberos setup for HBase

Authenticate using Kerberos principal:

kinit -kt /etc/security/keytabs/hbase.keytab hbase/<host>@YOUR.REALM.COM

Check your Kerberos ticket:

klist

Launch HBase shell and validate connectivity:

hbase shell
status
list

Step 7: Troubleshooting Tips

Check logs at /var/log/hbase/ for any Kerberos-related issues.
Ensure time synchronization, DNS resolution, and principal/keytab configurations are correct.

Addtional Security Recommendations

Enable TLS/SSL for Hadoop/HBase communication, regularly rotate Kerberos keys, and monitor audit logs for security compliance.

← Previous Post Next Post