Configuring Secure HBase Replication

If you are using HBase Replication and you want to make it secure, read this section for instructions. Before proceeding, you should already have configured HBase Replication by following the instructions in HBase Replication.

To configure secure HBase replication, you must configure cross realm support for Kerberos, ZooKeeper, and Hadoop.

To configure secure HBase replication:

  1. Create krbtgt principals for the two realms. For example, if you have two realms called EXAMPLE.COM and COMPANY.TEST, you need to add the following principals: krbtgt/EXAMPLE.COM@COMPANY.TEST and krbtgt/COMPANY.TEST@EXAMPLE.COM. Add these two principals at both realms. There must be at least one common encryption mode between these two realms.
    kadmin: addprinc -e "<enc_type_list>" krbtgt/EXAMPLE.COM@COMPANY.TEST
    kadmin: addprinc -e "<enc_type_list>" krbtgt/COMPANY.TEST@EXAMPLE.COM
  2. Add rules for creating short names in Zookeeper. To do this, add a system level property in java.env, defined in the conf directory. Here is an example rule that illustrates how to add support for the realm called EXAMPLE.COM, and have two members in the principal (such as service/instance@EXAMPLE.COM):
    -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QEXAMPLE.COM\\E$)s/@\\QEXAMPLE.COM\\E$//DEFAULT

    The above code example adds support for the EXAMPLE.COM realm in a different realm. So, in the case of replication, you must add a rule for the primary cluster realm in the replica cluster realm. DEFAULT is for defining the default rule.

  3. Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the replica cluster. For example, to add support for the EXAMPLE.COM realm:
    <property>
      <name>hadoop.security.auth_to_local</name>
      <value>
        RULE:[2:$1@$0](.*@\QEXAMPLE.COM\E$)s/@\QEXAMPLE.COM\E$//
      DEFAULT
      </value>
    </property>

    For more information about adding rules, see Configuring the Mapping from Kerberos Principals to Short Names.