HBase client with security

Thu, 29 Aug 2013 01:34:04 -0700 

Hi all,

I set up Hadoop (1.2.0), Zookeeper (3.4.5) and HBase (0.94.8-security) with 
security.
HBase works if I launch the shell from the node running the master, but I'd 
like to use it from an external machine.
I prepared one, copying the Hadoop and HBase installation folders and adapting 
the path (indeed I can use the same client to run MR jobs and interact with 
HDFS).
Regarding HBase client configuration:

- hbase-site.xml specifies

  <property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.rpc.engine</name>
    <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
  </property>
  <property>
    <name>hbase.zookeeper.quorum</name>
    <value>master.hadoop.local,host49.hadoop.local</value>
  </property>

where the zookeeper hosts are reachable and can be solved via DNS. I had to 
specify them otherwise the shell complains about 
"org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode 
= ConnectionLoss for /hbase/hbaseid"

- I have a keytab for the principal I want to use (<user running hbase/my 
client hostname@MYREALM>), correctly addressed by the file 
hbase/conf/zk-jaas.conf. In hbase-env.sh, the variable HBASE_OPTS points to 
zk-jaas.conf.

Nonetheless, when I issue a command from a HBase shell on the client machine, I 
got an error in the HBase master log

2013-08-29 10:11:30,890 WARN org.apache.hadoop.ipc.HBaseServer: IPC Server 
listener on 60000: readAndProcess threw exception 
org.apache.hadoop.security.AccessControlException: Authentication is required. 
Count of bytes read: 0
org.apache.hadoop.security.AccessControlException: Authentication is required
        at 
org.apache.hadoop.hbase.ipc.SecureServer$SecureConnection.readAndProcess(SecureServer.java:435)
        at 
org.apache.hadoop.hbase.ipc.HBaseServer$Listener.doRead(HBaseServer.java:748)
        at 
org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.doRunLoop(HBaseServer.java:539)
        at 
org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.run(HBaseServer.java:514)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)

It looks like there's a mismatch between the client and the master regarding 
the authentication mechanism. Note that from the same client machine I can 
launch and use a Zookeeper shell.
What am I missing in the client configuration? Does /etc/krb5.conf play any 
role into this?
Thanks,

Matteo


Matteo Lanati
Distributed Resources Group
Leibniz-Rechenzentrum (LRZ)
Boltzmannstrasse 1
85748   Garching b. München     (Germany)
Phone: +49 89 35831 8724

Reply via email to