Cloudera Enterprise 5.15.x | Other versions

Configuring Secure HBase Replication

If you are using HBase Replication and you want to make it secure, read this section for instructions. Before proceeding, you should already have configured HBase Replication by following the instructions in the HBase Replication section of the CDH 5 Installation Guide.

To configure secure HBase replication, you must configure cross realm support for Kerberos, ZooKeeper, and Hadoop.

  Note: HBase peer-to-peer replication from a non-Kerberized cluster to a Kerberized cluster is not supported.

To configure secure HBase replication:

  1. Create krbtgt principals for the two realms. For example, if you have two realms called ONE.COM and TWO.COM, you need to add the following principals: krbtgt/ONE.COM@TWO.COM and krbtgt/TWO.COM@ONE.COM. Add these two principals at both realms. There must be at least one common encryption mode between these two realms.
    kadmin: addprinc -e "<enc_type_list>" krbtgt/ONE.COM@TWO.COM
    kadmin: addprinc -e "<enc_type_list>" krbtgt/TWO.COM@ONE.COM
  2. Add rules for creating short names in Zookeeper. To do this, add a system level property in java.env, defined in the conf directory. Here is an example rule that illustrates how to add support for the realm called ONE.COM, and have two members in the principal (such as service/instance@ONE.COM):
    -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QONE.COM\\E$)s/@\\QONE.COM\\E$//DEFAULT

    The above code example adds support for the ONE.COM realm in a different realm. So, in the case of replication, you must add a rule for the primary cluster realm in the replica cluster realm. DEFAULT is for defining the default rule.

  3. Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the replica cluster. For example, to add support for the ONE.COM realm:
    <property>
      <name>hadoop.security.auth_to_local</name>
      <value>
        RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$//
      DEFAULT
      </value>
    </property>

    For more information about adding rules, see Configuring the Mapping from Kerberos Principals to Short Names.

Page generated May 18, 2018.