Configure MapR-SASL Security (Authentication and Encryption) for HBase
This section describes the manual method for configuring security in HBase.
$MAPR_HOME/server/configure.sh script with the -R
option. There are two methods to configure HBase to be secure by default:- Automatic Method
- Manual Method
Automatic Method
If you installed HBase by using the MapR Installer, the MapR Installer configures HBase daemons during installation. Additional configuration is not required.
Manual Method
$MAPR_HOME/server/configure.sh -R - HBase Master
- HBase RegionServer
- HBase Thrift
- HBase REST
Each service can be configured for authentication and encryption, as shown later on this page:
HBase Master and RegionServer
The Master and RegionServer services require the same configuration for security.
Authentication
hbase-site.xml
file:<property>
<name>hbase.security.authentication</name>
<value>maprsasl</value>
</property>Encryption
hbase-site.xml
file:<property>
<name>hbase.rpc.protection</name>
<value>privacy</value>
</property>hbase.rpc.protection property are:authentication (auth)integrity (auth-int)privacy (auth-conf)
The best practice is to spell out the values (authentication/integrity/privacy). The
abbreviated values (in parentheses) can work, but using them is not recommended.
Encryption is enabled only for the highest level of security
(privacy).
HBase Thrift
It is possible to configure the HBase Thrift service to work over sockets or over the
HTTP protocol. For authentication purposes, configuration is the same for both cases.
For encryption, configuration is different for each case. Note that starting with the
EEP6.3.0 property,
hbase.thrift.security.authentication is no longer used to configure
HBase Thrift for authentication.
Authentication
hbase-site.xml
file:<property>
<name>hbase.security.authentication</name>
<value>maprsasl</value>
</property>Encryption for Thrift over Sockets
hbase.regionserver.thrift.http property is set to
false and the following property is present
in the
hbase-site.xml
file:<property>
<name>hbase.thrift.security.qop</name>
<value>auth-conf</value>
</property>hbase.thrift.security.qop are:authauth-intauth-conf
Encryption is enabled only for the highest level of security
(auth-conf).
Encryption for Thrift over HTTP
hbase-site.xml
file:<property>
<name>hbase.regionserver.thrift.http</name>
<value>true</value>
</property>hbase-site.xml
file:<property>
<name>hbase.thrift.ssl.enabled</name>
<value>true</value>
</property>HBase REST
Authentication
hbase-site.xml
file:<property>
<name>hbase.rest.authentication.type</name>
<value>org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler</value>
</property>With the MultiMechsAuthenticationHandler, MapR-SASL, Kerberos, and PAM authentication headers are supported. A custom AuthenticationHandler could be implemented and specified with the full class name in this property.
Encryption
hbase-site.xml
file:<property>
<name>hbase.rest.ssl.enabled</name>
<value>true</value>
</property>HBase Services Web UIs
Web UIs are available for each HBase service. The Web UIs run simultaneously with the service and within the same process. Security for these UIs must be configured too.
Authentication
hbase-site.xml
file:<property>
<name>hbase.security.authentication</name>
<value>maprsasl</value>
</property>Authentication is implemented through the MultiMechsAuthenticationHandler and therefore supports MapR-SASL, Kerberos, and PAM authentication headers.
Encryption
hbase-site.xml
file:<property>
<name>hbase.ssl.enabled</name>
<value>true</value>
</property>