HBase only supports Kerberos security, and can run securely independently of the security status of your MapR cluster.

Secure HBase on a MapR cluster requires HBase version 0.94.13 or later.

To configure HBase to use Kerberos, perform the following steps:

  1. Install the mapr-hbase-master and mapr-hbase-regionserver packages on the cluster.   
  2. On all HBase nodes, perform the following steps:
    1. Install the krb5 packages and configure the Kerberos client as per the configuration for your environment.
    2. Set up the HBase Kerberos principal mapr/<fqdn>@<realm>. Each node requires a unique keytab file and Kerberos identity.
    3. Create an hbase.keytab file with the HBase Kerberos principal with the same process used to generate the CLDB keytab.
    4. Copy the hbase.keytab file to the /opt/mapr/conf directory.
    5. Use the chown command to change the keytab file's ownership to mapr:mapr.
    6. Use the chmod command to set the file's permissions to 600.
    7. Update the hbase-site.xml file by adding the following section:

      <property>
         <name>hbase.security.authentication</name>
         <value>kerberos</value>
       </property>
       <property>
        <name>hbase.security.authorization</name>
         <value>true</value>
       </property>
      <property>
         <name>hbase.rpc.engine</name>
         <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
       </property>
       <property>
         <name>hbase.regionserver.kerberos.principal</name>
         <value>mapr/_HOST@<KERBEROS_REALM></value>
       </property>
       <property>
         <name>hbase.master.kerberos.principal</name>
        <value>mapr/_HOST@<KERBEROS_REALM></value>
       </property>
    8. On a MapR cluster with security features enabled, replace the ${SIMPLE_LOGIN_OPTS} value of the MAPR_HBASE_SERVER_OPTS property with ${KERBEROS_LOGIN_OPTS} and the value of the  MAPR_HBASE_CLIENT_OPTS property with ${HYBRID_LOGIN_OPTS}. Also remove the default -Dzookeeper.sasl.client=false option from the definition of MAPR_HBASE_CLIENT_OPTS.

      These properties are located in the /opt/mapr/conf/env.sh file. 

    9. On a MapR cluster with security features disabled, replace the ${SIMPLE_LOGIN_OPTS} value of the MAPR_HBASE_SERVER_OPTS and  MAPR_HBASE_CLIENT_OPTS properties in the /opt/mapr/conf/env.sh file with ${KERBEROS_LOGIN_OPTS}.

  3. On all HBase regionserver nodes, update the hbase-site.xml file by adding the following section:

    <property>
       <name>hbase.regionserver.keytab.file</name>
       <value>/opt/mapr/conf/hbase.keytab</value>
     </property>
     <property>
       <name>hbase.coprocessor.region.classes</name> 
       <value> org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
     </property>
  4. On the HBase master node, update the hbase-site.xml file by adding the following section:

    <property>
      <name>hbase.master.keytab.file</name>
      <value>/opt/mapr/conf/hbase.keytab</value>
    </property>
    <property>
      <name>hbase.coprocessor.master.classes</name>
      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    </property>
  5. Restart the HBase master and regionserver nodes.