vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide-lts/mrs_01_1009.html
Yang, Tong 3f5759eed2 MRS comp-lts 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2023-01-19 17:08:45 +00:00

38 lines
6.3 KiB
HTML
Raw Blame History

<a name="mrs_01_1009"></a><a name="mrs_01_1009"></a>
<h1 class="topictitle1">Configuring Secure HBase Replication</h1>
<div id="body8662426"><div class="section" id="mrs_01_1009__en-us_topic_0000001173789330_sf925fa55729e4e54b6c12b09724fdb67"><h4 class="sectiontitle">Scenario</h4><p id="mrs_01_1009__en-us_topic_0000001173789330_a6afe2c54a73c4e04b800da885d9e6ef3">This topic provides the procedure to configure the secure HBase replication during cross-realm Kerberos setup in security mode.</p>
</div>
<div class="section" id="mrs_01_1009__en-us_topic_0000001173789330_see2d3ce34aac434495e283a5c9600f93"><h4 class="sectiontitle">Prerequisites</h4><ul id="mrs_01_1009__en-us_topic_0000001173789330_ul1464794315418"><li id="mrs_01_1009__en-us_topic_0000001173789330_li17647174311417">Mapping for all the FQDNs to their realms should be defined in the Kerberos configuration file.</li><li id="mrs_01_1009__en-us_topic_0000001173789330_li4647194344119">The passwords and keytab files of <strong id="mrs_01_1009__en-us_topic_0000001173789330_b85525340509">ONE.COM</strong> and <strong id="mrs_01_1009__en-us_topic_0000001173789330_b7207193725012">TWO.COM</strong> must be the same.</li></ul>
</div>
<div class="section" id="mrs_01_1009__en-us_topic_0000001173789330_s0f66bbc85d194811ac5468fd6d4e1927"><h4 class="sectiontitle">Procedure</h4><ol id="mrs_01_1009__en-us_topic_0000001173789330_o3ad90f38ba0c452ab6512878238c1878"><li id="mrs_01_1009__en-us_topic_0000001173789330_l3b75b6974dcc4308b00ec5cd26223b79"><span>Create krbtgt principals for the two realms.</span><p><p id="mrs_01_1009__en-us_topic_0000001173789330_ab82321a695a044258388f27ad370f38d">For example, if you have two realms called <strong id="mrs_01_1009__en-us_topic_0000001173789330_b13233190123311">ONE.COM</strong> and <strong id="mrs_01_1009__en-us_topic_0000001173789330_b171641734336">TWO.COM</strong>, you need to add the following principals: <strong id="mrs_01_1009__en-us_topic_0000001173789330_b1456151173315">krbtgt/ONE.COM@TWO.COM</strong> and <strong id="mrs_01_1009__en-us_topic_0000001173789330_b87140132333">krbtgt/TWO.COM@ONE.COM</strong>.</p>
<p id="mrs_01_1009__en-us_topic_0000001173789330_a7bfdc600086a46d0abf3f1ece1395d89">Add these two principals at both realms.</p>
<pre class="screen" id="mrs_01_1009__en-us_topic_0000001173789330_sf0da09c1a9ce4d29a4518589e67935e4">kadmin: addprinc -e "&lt;enc_type_list&gt;" krbtgt/ONE.COM@TWO.COM
kadmin: addprinc -e "&lt;enc_type_list&gt;" krbtgt/TWO.COM@ONE.COM</pre>
<div class="note" id="mrs_01_1009__en-us_topic_0000001173789330_n30abbdc3c24d4cc9a8d75fb2051bb33e"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1009__en-us_topic_0000001173789330_a7aaccd16c07145d18391f91fd3796bde">There must be at least one common keytab mode between these two realms.</p>
</div></div>
</p></li><li id="mrs_01_1009__en-us_topic_0000001173789330_l23b1c5c065f84adf8a7965ec7a44fbf8"><span>Add rules for creating short names in Zookeeper.</span><p><div class="p" id="mrs_01_1009__en-us_topic_0000001173789330_en-us_topic_0039590248_p71517310124"><strong id="mrs_01_1009__en-us_topic_0000001173789330_b114285231783">Dzookeeper.security.auth_to_local</strong> is a parameter of the ZooKeeper server process. Following is an example rule that illustrates how to add support for the realm called <strong id="mrs_01_1009__en-us_topic_0000001173789330_b1682013513710">ONE.COM</strong>. The principal has two members (such as <strong id="mrs_01_1009__en-us_topic_0000001173789330_b1852171912374">service/instance@ONE.COM</strong>).<pre class="screen" id="mrs_01_1009__en-us_topic_0000001173789330_sce5597c1a9ae435d93354a6913349750">Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QONE.COM\\E$)s/@\\QONE.COM\\E$//DEFAULT</pre>
</div>
<p id="mrs_01_1009__en-us_topic_0000001173789330_a67597ba3f5a6414f9187fb2f3dbfd361">The above code example adds support for the <strong id="mrs_01_1009__en-us_topic_0000001173789330_b425191718396">ONE.COM</strong> realm in a different realm. Therefore, in the case of replication, you must add a rule for the master cluster realm in the slave cluster realm. <strong id="mrs_01_1009__en-us_topic_0000001173789330_b93812049132414">DEFAULT</strong> is for defining the default rule.</p>
</p></li><li id="mrs_01_1009__en-us_topic_0000001173789330_lbd6702663be74ba0bdf29b9862adc776"><span>Add rules for creating short names in the Hadoop processes.</span><p><p id="mrs_01_1009__en-us_topic_0000001173789330_a1e532d64d8ff4dd4bcef3ae90b587986">The following is the <strong id="mrs_01_1009__en-us_topic_0000001173789330_b9273111394517">hadoop.security.auth_to_local</strong> property in the <span class="filepath" id="mrs_01_1009__en-us_topic_0000001173789330_fff6628700cd0410ab171c9e1dc31abaf"><b>core-site.xml</b></span> file in the slave cluster HBase processes. For example, to add support for the <strong id="mrs_01_1009__en-us_topic_0000001173789330_b15108052174716">ONE.COM</strong> realm:</p>
<pre class="screen" id="mrs_01_1009__en-us_topic_0000001173789330_s76981716dfed4ea3bfbe1fa4e2e369d2">&lt;property&gt;
&lt;name&gt;hadoop.security.auth_to_local&lt;/name&gt;
&lt;value&gt;RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$//DEFAULT&lt;/value&gt;
&lt;/property&gt;</pre>
<div class="note" id="mrs_01_1009__en-us_topic_0000001173789330_n203dcde46277498c8a5702f623fd8f44"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1009__en-us_topic_0000001173789330_aaa5d89e53aa0486bbd244c90c36fa77b">If replication for bulkload data is enabled, then the same property for supporting the slave realm needs to be added in the <span class="filepath" id="mrs_01_1009__en-us_topic_0000001173789330_f0c18580d2dee40e4983a5d0b147560bb"><b>core-site.xml</b></span> file in the master cluster HBase processes.</p>
<p id="mrs_01_1009__en-us_topic_0000001173789330_aa665f93a144e4f7bbeaeae0a9cb37861">Example:</p>
<pre class="screen" id="mrs_01_1009__en-us_topic_0000001173789330_s01499eab7fa64df8a0a42a717f974259">&lt;property&gt;
&lt;name&gt;hadoop.security.auth_to_local&lt;/name&gt;
&lt;value&gt;RULE:[2:$1@$0](.*@\QTWO.COM\E$)s/@\QTWO.COM\E$//DEFAULT&lt;/value&gt;
&lt;/property&gt;</pre>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0500.html">Using HBase</a></div>
</div>
</div>
View Git Blame Copy Permalink