Security
Authentication
Currently the only supported authentication mechanism is Kerberos, which is disabled by default. For Kerberos to work a Kerberos Key Distribution Center (KDC) is needed, which you need to provide. The secret-operator documentation states which kind of Kerberos servers are supported and how they can be configured.
1. Prepare Kerberos server
To configure HDFS and Hbase to use Kerberos you first need to collect information about your Kerberos server, e.g. hostname and port. Additionally, you need a service-user which the secret-operator uses to create principals for the HDFS services.
2. Create Kerberos SecretClass
Afterwards you need to enter all the needed information into a SecretClass, as described in secret-operator documentation.
The following guide assumes you have named your SecretClass kerberos
.
3. Configure HDFS to use SecretClass
The next step is to configure your HdfsCluster to use the newly created SecretClass.
Please follow the HDFS security guide to set up and test this.
Please watch out to use the SecretClass named kerberos
.
4. Configure HBase to use SecretClass
The last step is to configure the same SecretClass for HBase, which is done similar to HDFS.
HDFS and HBase need to use the same SecretClass (or at least use the same underlying Kerberos server). |
spec:
clusterConfig:
authentication:
tlsSecretClass: tls # Optional, defaults to "tls"
kerberos:
secretClass: kerberos # Put your SecretClass name in here
The kerberos.secretClass
is used to give HBase the possibility to request keytabs from the secret-operator.
The tlsSecretClass
is needed to request TLS certificates, used e.g. for the Web UIs.
5. Verify that Kerberos authentication is required
Shell into the hbase-master-default-0
Pod and execute the following commands:
-
kdestroy
(just in case you runkinit
in the Pod already in the past) -
echo 'list;' | bin/hbase shell
The last command should fail with the error message ERROR: Found no valid authentication method from options
.
You can also check the RestServer by calling curl -v --insecure https://hbase-restserver-default:8081
, which should return HTTP ERROR 401 Authentication required
.
6. Access HBase
In case you want to access your HBase it is recommended to start up a client Pod that connects to HBase, rather than shelling into the master. We have an integration test for this exact purpose, where you can see how to connect and get a valid keytab.