Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase >> mail # user >> HBase client with security


Copy link to this message
-
Re: HBase client with security
Two things come to mind:

1. Is HADOOP_CONF_DIR also on HBase's classpath? If it or
HADOOP_PREFIX/HADOOP_HOME is defined, it usually is. But re-check via
"hbase classpath"
2. Assuming (1) is good, does your core-site.xml have kerberos
authentication settings for hadoop as well?

On Thu, Aug 29, 2013 at 6:58 PM, Lanati, Matteo <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I set up Hadoop (1.2.0), Zookeeper (3.4.5) and HBase (0.94.8-security) with security.
> HBase works if I launch the shell from the node running the master, but I'd like to use it from an external machine.
> I prepared one, copying the Hadoop and HBase installation folders and adapting the path (indeed I can use the same client to run MR jobs and interact with HDFS).
> Regarding HBase client configuration:
>
> - hbase-site.xml specifies
>
>  <property>
>    <name>hbase.security.authentication</name>
>    <value>kerberos</value>
>  </property>
>  <property>
>    <name>hbase.rpc.engine</name>
>    <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
>  </property>
>  <property>
>    <name>hbase.zookeeper.quorum</name>
>    <value>master.hadoop.local,host49.hadoop.local</value>
>  </property>
>
> where the zookeeper hosts are reachable and can be solved via DNS. I had to specify them otherwise the shell complains about "org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode = ConnectionLoss for /hbase/hbaseid"
>
> - I have a keytab for the principal I want to use (<user running hbase/my client hostname@MYREALM>), correctly addressed by the file hbase/conf/zk-jaas.conf. In hbase-env.sh, the variable HBASE_OPTS points to zk-jaas.conf.
>
> Nonetheless, when I issue a command from a HBase shell on the client machine, I got an error in the HBase master log
>
> 2013-08-29 10:11:30,890 WARN org.apache.hadoop.ipc.HBaseServer: IPC Server listener on 60000: readAndProcess threw exception org.apache.hadoop.security.AccessControlException: Authentication is required. Count of bytes read: 0
> org.apache.hadoop.security.AccessControlException: Authentication is required
>         at org.apache.hadoop.hbase.ipc.SecureServer$SecureConnection.readAndProcess(SecureServer.java:435)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener.doRead(HBaseServer.java:748)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.doRunLoop(HBaseServer.java:539)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.run(HBaseServer.java:514)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>         at java.lang.Thread.run(Unknown Source)
>
> It looks like there's a mismatch between the client and the master regarding the authentication mechanism. Note that from the same client machine I can launch and use a Zookeeper shell.
> What am I missing in the client configuration? Does /etc/krb5.conf play any role into this?
> Thanks,
>
> Matteo
>
>
> Matteo Lanati
> Distributed Resources Group
> Leibniz-Rechenzentrum (LRZ)
> Boltzmannstrasse 1
> 85748   Garching b. München     (Germany)
> Phone: +49 89 35831 8724
>
>

--
Harsh J