Configuring Secure HBase Replication
If you are using HBase Replication and you want to make it secure, read this section for instructions. Before proceeding, you should already have configured HBase Replication by following the instructions in the HBase Replication section of the CDH4 Installation Guide.
To configure secure HBase replication, you must configure cross realm support for Kerberos, ZooKeeper, and Hadoop.
To configure secure HBase replication:
- Create krbtgt principals for the two realms. For example, if you have two realms called
ONE.COM and TWO.COM, you need to add the
following principals: krbtgt/ONE.COM@TWO.COM and
krbtgt/TWO.COM@ONE.COM. Add these two principals at both
realms. Note that there must be at least one common encryption mode between these
kadmin: addprinc -e "<enc_type_list>" krbtgt/ONE.COM@TWO.COM kadmin: addprinc -e "<enc_type_list>" krbtgt/TWO.COM@ONE.COM
- Add rules for creating short names in Zookeeper. To do this, add a system level
property in java.env, defined in the conf
directory. Here is an example rule that illustrates how to add support for the realm
called ONE.COM, and have two members in the principal (such as
The above code example adds support for the ONE.COM realm in a different realm. So, in the case of replication, you must add a rule for the master cluster realm in the slave cluster realm. DEFAULT is for defining the default rule.
- Add rules for creating short names in the Hadoop processes. To do this, add the
hadoop.security.auth_to_local property in the
core-site.xml file in the slave cluster. For example, to add
support for the ONE.COM realm:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$// DEFAULT </value> </property>
For more information about adding rules, see Appendix C - Configuring the Mapping from Kerberos Principals to Short Names.