Configuring Kerberos Authentication for HBase

Using Kerberos for authentication for the HBase component requires that you also use Kerberos authentication for ZooKeeper. This means that HBase Master, RegionServer, and client hosts must each have a Kerberos principal for authenticating to the ZooKeeper ensemble. The steps below provide the details. Before you start, be sure that:
Cloudera Manager automatically configures authentication between HBase to ZooKeeper and sets up the HBase Thrift gateway to support impersonation (doAs). However, you must manually configure the HBase REST service for Kerberos (it currently uses Simple authentication by default, instead of Kerberos). See Configure HBase REST Server for Kerberos Authentication for details.

You can use either Cloudera Manager or the command line to configure Kerberos authentication for HBase. Using Cloudera Manager simplifies the process, but both approaches are detailed below. This page includes these topics:

Configuring Kerberos Authentication for HBase Using Cloudera Manager

Cloudera Manager simplifies the task of configuring Kerberos authentication for HBase.

Configure HBase Servers to Authenticate with a Secure HDFS Cluster Using Cloudera Manager

Required Role: Cluster Administrator or Full Administrator

  1. Log on to Cloudera Manager Admin Console.
  2. Go to the HBase service (select Clusters > HBASE).
  3. Click the Configuration tab.
  4. Under the Scope filter, click HBase (Service-Wide).
  5. Under the Category filter, click Security.
  6. Ensure the Kerberos principal for the HBase service was generated.
  7. Find the HBase Secure Authentication property (type "HBase Secure" in the Search box, if necessary), and confirm (or enter) the principal to use for HBase.
  8. Select kerberos as the authentication type.
  9. Click Save Changes.
  10. Restart the role.
  11. Restart the service. Select Restart from the Actions drop-down menu adjacent to HBASE-n (Cluster).

Configure HBase Servers and Clients to Authenticate with a Secure ZooKeeper

As mentioned above, secure HBase also requires secure ZooKeeper. The various HBase host systems—Master, RegionServer, and client—must have a principal to use to authenticate to the secure ZooKeeper ensemble. This is handled transparently by Cloudera Manager when you enable Kerberos as detailed above.

Configure HBase REST Server for Kerberos Authentication

Currently, the HBase REST Server uses Simple (rather than Kerberos) authentication by default. You must manually modify the setting using the Cloudera Manager Admin Console, as follows:
  1. Log on to Cloudera Manager Admin Console.
  2. Select Clusters > HBASE.
  3. Click the Configuration tab.
  4. Under the Scope filter, click HBase (Service-Wide).
  5. Under the Category filter, click Security.
  6. Find the HBase REST Authentication property:

  7. Click kerberos to select Kerberos instead of simple authentication.
  8. Click Save Changes.
  9. Restart the role.
  10. Restart the service. Select Restart from the Actions drop-down menu adjacent to HBASE-n (Cluster).