Configuring Secure HBase Replication
If you are using HBase Replication and you want to make it secure, read this section for instructions. Before proceeding, you should already have configured HBase Replication by following the instructions in the HBase Replication section of the CDH 5 Installation Guide.
To configure secure HBase replication, you must configure cross realm support for Kerberos, ZooKeeper, and Hadoop.
To configure secure HBase replication:
- Create krbtgt principals for the two realms. For example, if you have two realms called ONE.COM and TWO.COM, you need to
add the following principals: krbtgt/ONE.COM@TWO.COM and krbtgt/TWO.COM@ONE.COM. Add these two principals at both realms. Note that there
must be at least one common encryption mode between these two realms.
kadmin: addprinc -e "<enc_type_list>" krbtgt/ONE.COM@TWO.COM kadmin: addprinc -e "<enc_type_list>" krbtgt/TWO.COM@ONE.COM
- Add rules for creating short names in Zookeeper. To do this, add a system level property in java.env, defined in the conf
directory. Here is an example rule that illustrates how to add support for the realm called ONE.COM, and have two members in the principal (such as service/instance@ONE.COM):
The above code example adds support for the ONE.COM realm in a different realm. So, in the case of replication, you must add a rule for the primary cluster realm in the replica cluster realm. DEFAULT is for defining the default rule.
- Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the replica cluster. For example, to add support for the ONE.COM realm:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$// DEFAULT </value> </property>
For more information about adding rules, see Configuring the Mapping from Kerberos Principals to Short Names.