[
https://issues.apache.org/jira/browse/HBASE-15254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144927#comment-15144927
]
Gary Helmling commented on HBASE-15254:
---------------------------------------
bq. We simply ran the command add_peer '1', "server1.cie.com:2181:/hbase".
You can simply change this to:
{noformat}
add_peer '1', CLUSTER_KEY => "server1.cie.com:2181:/hbase",
CONFIG => {
'hbase.master.kerberos.principal' => 'hbase/[email protected]',
'hbase.regionserver.kerberos.principal' => 'hbase/[email protected]',
}
{noformat}
and replication should work. Without HBASE-14866, I believe you will still
have a problem with the {{enable_table_replication}} shell command, but the
patch in that issue should fix it for you. Yes, this is not well documented.
We should add it to the reference guide.
bq. Our idea to handle this issue was (similar to how Hadoop and Zookeeper
work), we add a new type in AuthMethod which will be used as a marker for
server to identify whether client has requested for its principal.
I agree that this would be more user friendly. But would this leave the
overall system less secure? I thought the reason for the client validating the
server principal matches the expected value was to avoid server impersonation
(making the authentication mutual). Would changing the client to allow the
server to send it's configured principal allow MITM attacks by anyone with
valid kerberos credentials, or do you see this being mitigated some other way?
> Support fixed domain name in Kerberos name for HBase replication cross realm
> trust setup
> ----------------------------------------------------------------------------------------
>
> Key: HBASE-15254
> URL: https://issues.apache.org/jira/browse/HBASE-15254
> Project: HBase
> Issue Type: Improvement
> Reporter: Ashish Singhi
> Assignee: Ashish Singhi
> Labels: kerberos, replication, security
>
> HBase replication will not work with Kerberos cross realm trust when domain
> name in the principal is not hostname.
> A mail was also sent related to this in user mailing list, [mail |
> https://groups.google.com/forum/#!topic/nosql-databases/AYhQnU9Fc7E]
> The problem here is when ever a user adds a new host to cluster he/she also
> needs to add a principal name for that host in KDC, generate a new keytab
> file and update it across other hosts accordingly if required.
> To save all this efforts users may prefer to have a fixed domain name in the
> principal for all the hosts and in that case HBase replication will fail
> because currently we are using client principal to create sasl client instead
> we need to use server principal to create sasl client and establish the sasl
> context
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
