vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1009.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

38 lines
5.2 KiB
HTML
Raw Blame History

<a name="mrs_01_1009"></a><a name="mrs_01_1009"></a>
<h1 class="topictitle1">Configuring Secure HBase Replication</h1>
<div id="body1590128863822"><div class="section" id="mrs_01_1009__sf925fa55729e4e54b6c12b09724fdb67"><h4 class="sectiontitle">Scenario</h4><p id="mrs_01_1009__a6afe2c54a73c4e04b800da885d9e6ef3">This topic provides the procedure to configure the secure HBase replication during cross-realm Kerberos setup in security mode.</p>
</div>
<div class="section" id="mrs_01_1009__see2d3ce34aac434495e283a5c9600f93"><h4 class="sectiontitle">Prerequisites</h4><ul id="mrs_01_1009__ul1464794315418"><li id="mrs_01_1009__li17647174311417">Mapping for all the FQDNs to their realms should be defined in the Kerberos configuration file.</li><li id="mrs_01_1009__li4647194344119">The passwords and keytab files of <strong id="mrs_01_1009__b85525340509">ONE.COM</strong> and <strong id="mrs_01_1009__b7207193725012">TWO.COM</strong> must be the same.</li></ul>
</div>
<div class="section" id="mrs_01_1009__s0f66bbc85d194811ac5468fd6d4e1927"><h4 class="sectiontitle">Procedure</h4><ol id="mrs_01_1009__o3ad90f38ba0c452ab6512878238c1878"><li id="mrs_01_1009__l3b75b6974dcc4308b00ec5cd26223b79"><span>Create krbtgt principals for the two realms.</span><p><p id="mrs_01_1009__ab82321a695a044258388f27ad370f38d">For example, if you have two realms called <strong id="mrs_01_1009__b13233190123311">ONE.COM</strong> and <strong id="mrs_01_1009__b171641734336">TWO.COM</strong>, you need to add the following principals: <strong id="mrs_01_1009__b1456151173315">krbtgt/ONE.COM@TWO.COM</strong> and <strong id="mrs_01_1009__b87140132333">krbtgt/TWO.COM@ONE.COM</strong>.</p>
<p id="mrs_01_1009__a7bfdc600086a46d0abf3f1ece1395d89">Add these two principals at both realms.</p>
<pre class="screen" id="mrs_01_1009__sf0da09c1a9ce4d29a4518589e67935e4">kadmin: addprinc -e "&lt;enc_type_list&gt;" krbtgt/ONE.COM@TWO.COM
kadmin: addprinc -e "&lt;enc_type_list&gt;" krbtgt/TWO.COM@ONE.COM</pre>
<div class="note" id="mrs_01_1009__n30abbdc3c24d4cc9a8d75fb2051bb33e"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1009__a7aaccd16c07145d18391f91fd3796bde">There must be at least one common keytab mode between these two realms.</p>
</div></div>
</p></li><li id="mrs_01_1009__l23b1c5c065f84adf8a7965ec7a44fbf8"><span>Add rules for creating short names in Zookeeper.</span><p><div class="p" id="mrs_01_1009__en-us_topic_0039590248_p71517310124"><strong id="mrs_01_1009__b114285231783">Dzookeeper.security.auth_to_local</strong> is a parameter of the ZooKeeper server process. Following is an example rule that illustrates how to add support for the realm called <strong id="mrs_01_1009__b1682013513710">ONE.COM</strong>. The principal has two members (such as <strong id="mrs_01_1009__b1852171912374">service/instance@ONE.COM</strong>).<pre class="screen" id="mrs_01_1009__sce5597c1a9ae435d93354a6913349750">Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QONE.COM\\E$)s/@\\QONE.COM\\E$//DEFAULT</pre>
</div>
<p id="mrs_01_1009__a67597ba3f5a6414f9187fb2f3dbfd361">The above code example adds support for the <strong id="mrs_01_1009__b425191718396">ONE.COM</strong> realm in a different realm. Therefore, in the case of replication, you must add a rule for the master cluster realm in the slave cluster realm. <strong id="mrs_01_1009__b93812049132414">DEFAULT</strong> is for defining the default rule.</p>
</p></li><li id="mrs_01_1009__lbd6702663be74ba0bdf29b9862adc776"><span>Add rules for creating short names in the Hadoop processes.</span><p><p id="mrs_01_1009__a1e532d64d8ff4dd4bcef3ae90b587986">The following is the <strong id="mrs_01_1009__b9273111394517">hadoop.security.auth_to_local</strong> property in the <span class="filepath" id="mrs_01_1009__fff6628700cd0410ab171c9e1dc31abaf"><b>core-site.xml</b></span> file in the slave cluster HBase processes. For example, to add support for the <strong id="mrs_01_1009__b15108052174716">ONE.COM</strong> realm:</p>
<pre class="screen" id="mrs_01_1009__s76981716dfed4ea3bfbe1fa4e2e369d2">&lt;property&gt;
&lt;name&gt;hadoop.security.auth_to_local&lt;/name&gt;
&lt;value&gt;RULE:[2:$1@$0](.*@\QONE.COM\E$)s/@\QONE.COM\E$//DEFAULT&lt;/value&gt;
&lt;/property&gt;</pre>
<div class="note" id="mrs_01_1009__n203dcde46277498c8a5702f623fd8f44"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1009__aaa5d89e53aa0486bbd244c90c36fa77b">If replication for bulkload data is enabled, then the same property for supporting the slave realm needs to be added in the <span class="filepath" id="mrs_01_1009__f0c18580d2dee40e4983a5d0b147560bb"><b>core-site.xml</b></span> file in the master cluster HBase processes.</p>
<p id="mrs_01_1009__aa665f93a144e4f7bbeaeae0a9cb37861">Example:</p>
<pre class="screen" id="mrs_01_1009__s01499eab7fa64df8a0a42a717f974259">&lt;property&gt;
&lt;name&gt;hadoop.security.auth_to_local&lt;/name&gt;
&lt;value&gt;RULE:[2:$1@$0](.*@\QTWO.COM\E$)s/@\QTWO.COM\E$//DEFAULT&lt;/value&gt;
&lt;/property&gt;</pre>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0500.html">Using HBase</a></div>
</div>
</div>
View Git Blame Copy Permalink