Skip to main content

HBase in Pseudo-Distributed Mode with Kerberos Authentication

Prerequisites

  • Ubuntu

Setup Kerberos (Basic)

/docs/auxiliary-software/kerberos

Hadoop Kerberos Configuration

sudo kadmin.local
kadmin.local: addprinc hdfs/localhost@JREACT.EXAMPLE.COM
kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab hdfs/localhost@JREACT.EXAMPLE.COM

kadmin.local: addprinc host/localhost@JREACT.EXAMPLE.COM
kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab host/localhost@JREACT.EXAMPLE.COM

Check:

kadmin.local: list_principals

Create HBase Principal and Keytab

sudo kadmin.local
kadmin.local: addprinc -randkey hbase/localhost@JREACT.EXAMPLE.COM
kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab hbase/localhost@JREACT.EXAMPLE.COM

Use your values of /etc/krb5kdc/kadm5.keytab and hbase/localhost@JREACT.EXAMPLE.COM.

Configure HBase for Kerberos

Edit hbase-site.xml:

  <property>
    <name>hbase.security.authentication</name>
    <value>kerberos</value>
  </property>
  <property>
    <name>hbase.master.kerberos.principal</name>
    <value>hbase/localhost@JREACT.EXAMPLE.COM</value>
  </property>
  <property>
    <name>hbase.regionserver.kerberos.principal</name>
    <value>hbase/localhost@JREACT.EXAMPLE.COM</value>
  </property>
  <property>
    <name>hbase.master.keytab.file</name>
    <value>/etc/krb5kdc/kadm5.keytab</value>
  </property>
  <property>
    <name>hbase.regionserver.keytab.file</name>
    <value>/etc/krb5kdc/kadm5.keytab</value>
  </property>

Also, in hbase-env.sh:

...
...
  export HBASE_OPTS="$HBASE_OPTS -Djava.security.krb5.conf=/etc/krb5.conf"
...

Make sure you've done:

kinit -k -t /etc/krb5kdc/kadm5.keytab hbase/localhost@JREACT.EXAMPLE.COM

Do this:

klist -kte /etc/krb5kdc/kadm5.keytab

Output:

Keytab name: FILE:/etc/krb5kdc/kadm5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/11/2025 11:35:11 hdfs/localhost@JREACT.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/11/2025 11:35:11 hdfs/localhost@JREACT.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/11/2025 11:36:02 host/localhost@JREACT.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/11/2025 11:36:02 host/localhost@JREACT.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/11/2025 11:36:42 hbase/localhost@JREACT.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/11/2025 11:36:42 hbase/localhost@JREACT.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
klist

Output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/localhost@JREACT.EXAMPLE.COM

Valid starting       Expires              Service principal
04/11/2025 11:42:35  04/11/2025 21:42:35  krbtgt/JREACT.EXAMPLE.COM@JREACT.EXAMPLE.COM
	renew until 04/12/2025 11:42:35