This is the documentation for CDH 4.7.0.
Documentation for other versions is available at Cloudera Documentation.

Configuring Secure HBase Replication

If you are using HBase Replication and you want to make it secure, read this section for instructions. Before proceeding, you should already have configured HBase Replication by following the instructions in the HBase Replication section of the CDH4 Installation Guide.

To configure secure HBase replication, you must configure cross realm support for Kerberos, ZooKeeper, and Hadoop.

To configure secure HBase replication:

  1. Create krbtgt principals for the two realms. For example, if you have two realms called ONE.COM and TWO.COM, you need to add the following principals: krbtgt/ONE.COM@TWO.COM and krbtgt/TWO.COM@ONE.COM. Add these two principals at both realms. Note that there must be at least one common encryption mode between these two realms.
    kadmin: addprinc -e "<enc_type_list>" krbtgt/ONE.COM@TWO.COM
    kadmin: addprinc -e "<enc_type_list>" krbtgt/TWO.COM@ONE.COM
  2. Add rules for creating short names in Zookeeper. To do this, add a system level property in java.env, defined in the conf directory. Here is an example rule that illustrates how to add support for the realm called ONE.COM, and have two members in the principal (such as service/instance@ONE.COM):
    -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QONE.COM\\E$)s/@\\QONE.COM\\E$//DEFAULT

    The above code example adds support for the ONE.COM realm in a different realm. So, in the case of replication, you must add a rule for the master cluster realm in the slave cluster realm. DEFAULT is for defining the default rule.

  3. Add rules for creating short names in the Hadoop processes. To do this, add the hadoop.security.auth_to_local property in the core-site.xml file in the slave cluster. For example, to add support for the ONE.COM realm:
    <property>
      <name>hadoop.security.auth_to_local</name>
      <value>
        RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$//
      DEFAULT
      </value>
    </property>

    For more information about adding rules, see Appendix C - Configuring the Mapping from Kerberos Principals to Short Names.