vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/umn/admin_guide_000276.html
Yang, Tong 2195db241c MRS UMN 20231220 version update 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2024-05-16 09:40:21 +00:00

111 lines
30 KiB
HTML
Raw Blame History

<a name="admin_guide_000276"></a><a name="admin_guide_000276"></a>
<h1 class="topictitle1">HFile and WAL Encryption</h1>
<div id="body1530067732189"><div class="section" id="admin_guide_000276__s1948b0b624dc4a0caf5f17669ca5244d"><a name="admin_guide_000276__s1948b0b624dc4a0caf5f17669ca5244d"></a><a name="s1948b0b624dc4a0caf5f17669ca5244d"></a><h4 class="sectiontitle">HFile and WAL Encryption</h4><div class="notice" id="admin_guide_000276__en-us_topic_0046736703_note16730309"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><ul id="admin_guide_000276__en-us_topic_0046736703_ul16355056"><li id="admin_guide_000276__en-us_topic_0046736703_li12977784">Setting the HFile and WAL encryption mode to SMS4 or AES has a great impact on the system and will cause data loss in case of any misoperation. Therefore, this operation is not recommended.</li></ul>
<ul id="admin_guide_000276__en-us_topic_0046736703_ul49691197"><li id="admin_guide_000276__en-us_topic_0046736703_li44567592">Batch data import using Bulkload does not support data encryption.</li></ul>
</div></div>
<p id="admin_guide_000276__en-us_topic_0046736703_p65564010">HFile and Write ahead log (WAL) in HBase are not encrypted by default. To encrypt them, perform the following operations.</p>
<ol id="admin_guide_000276__ol17597287194556"><li id="admin_guide_000276__li61064812194556"><a name="admin_guide_000276__li61064812194556"></a><a name="li61064812194556"></a><span>On any HBase node, run the following commands to create a key file as user <strong id="admin_guide_000276__b91970361495">omm</strong>:</span><p><p class="litext" id="admin_guide_000276__p13971192194556"><strong id="admin_guide_000276__b52449633141356">sh ${BIGDATA_HOME}/FusionInsight_HD_<strong id="admin_guide_000276__b136591056113910"><span id="admin_guide_000276__text1745071793714">8.1.0.1</span></strong></strong><strong id="admin_guide_000276__b2284649141356">/install/FusionInsight-HBase-<span id="admin_guide_000276__text14641134412189">2.2.3</span>/hbase/bin/hbase-encrypt.sh</strong><strong id="admin_guide_000276__b11727126171619"> <em id="admin_guide_000276__i430714341715">&lt;path&gt;/hbase.jks &lt;type&gt; &lt;length&gt; &lt;alias&gt;</em></strong></p>
<ul id="admin_guide_000276__ul1153191417913"><li class="litext" id="admin_guide_000276__li15318142917"><em id="admin_guide_000276__i9531214493">/&lt;path&gt;/hbase.jks</em> indicates the path for storing the generated JKS file.</li><li class="litext" id="admin_guide_000276__li125316144917"><em id="admin_guide_000276__i137124371504">&lt;type&gt;</em> indicates the encryption type, which can be SMS4 or AES.</li><li class="litext" id="admin_guide_000276__li9531914999"><em id="admin_guide_000276__i5104203245114">&lt;length&gt;</em> indicates the key length. SMS4 supports 16-bit and AES supports 128-bit.</li><li class="litext" id="admin_guide_000276__li145316143917"><em id="admin_guide_000276__i053151410910">&lt;alias&gt;</em> indicate the alias of the key file. When you create the key file for the first time, retain the default value <strong id="admin_guide_000276__b79161319115314">omm</strong>.</li></ul>
<p class="litext" id="admin_guide_000276__p1637114541752">For example, to generate an SMS4 encryption key, run the following command:</p>
<p class="litext" id="admin_guide_000276__p57908100194556"><strong id="admin_guide_000276__b3047596314147">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b1829929914147">FusionInsight_HD_</strong></strong><strong id="admin_guide_000276__b7755169115511"><span id="admin_guide_000276__text89024417374">8.1.0.1</span></strong><strong id="admin_guide_000276__b5263395714147"><strong id="admin_guide_000276__b584821714147">/install</strong>/FusionInsight-HBase-<span id="admin_guide_000276__text102061710171913">2.2.3</span>/hbase/bin/hbase-encrypt.sh /home/hbase/conf/hbase.jks SMS4 16 omm</strong></p>
<p class="litext" id="admin_guide_000276__p2045612571859">To generate an AES encryption key, run the following command:</p>
<p class="litext" id="admin_guide_000276__p3529809194556"><strong id="admin_guide_000276__b35645624141422">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b35237258141422"><strong id="admin_guide_000276__b48699867141422">FusionInsight_HD_</strong></strong></strong><strong id="admin_guide_000276__b821818118551"><span id="admin_guide_000276__text99605283715">8.1.0.1</span></strong><strong id="admin_guide_000276__b14529586141422"><strong id="admin_guide_000276__b52375160141422"><strong id="admin_guide_000276__b1614398141422">/install</strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text1637012195196">2.2.3</span>/hbase/bin/hbase-encrypt.sh /home/hbase/conf/hbase.jks AES 128 omm</strong></p>
<div class="note" id="admin_guide_000276__note58980762194556"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="admin_guide_000276__ul58749201194556"><li id="admin_guide_000276__li17479147194556">To ensure operations can be successfully performed, the <strong id="admin_guide_000276__b22871415205717">&lt;path&gt;/hbase.jks</strong> directory needs to be created in advance, and the cluster operation user must have the <strong id="admin_guide_000276__b179801158125412">rw</strong> permission of this directory.</li><li id="admin_guide_000276__li58723472194556">After running the command, enter the same <em id="admin_guide_000276__i23094602194556">&lt;password&gt;</em> four times. The password encrypted in <a href="#admin_guide_000276__li59351885194556">3</a> is the same as the password in this step.</li></ul>
</div></div>
</p></li><li id="admin_guide_000276__li56853475194556"><span>Distribute the generated key files to the same directory on all nodes in the cluster and assign read and write permission to user <strong id="admin_guide_000276__b116561027529">omm</strong>.</span><p><div class="note" id="admin_guide_000276__note6317052194556"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="admin_guide_000276__ul23071516194556"><li id="admin_guide_000276__li12712400194556">Administrators need to select a safe procedure to distribute keys based on the enterprise security requirements.</li><li id="admin_guide_000276__li47302744194556">If the key files of some nodes are lost, repeat the step to copy the key files from other nodes.</li></ul>
</div></div>
</p></li><li id="admin_guide_000276__li59351885194556"><a name="admin_guide_000276__li59351885194556"></a><a name="li59351885194556"></a><span>On <span id="admin_guide_000276__text67509419010">MRS</span> Manager, set <strong id="admin_guide_000276__b20733122116317">hbase.crypto.keyprovider.parameters.encryptedtext</strong> to the encrypted password. Set <strong id="admin_guide_000276__b1490172815312">hbase.crypto.keyprovider.parameters.uri</strong> to the path and name of the key file.</span><p><ul id="admin_guide_000276__ul108015323818"><li class="litext" id="admin_guide_000276__li89903402818">The format of <strong id="admin_guide_000276__b1474413422312">hbase.crypto.keyprovider.parameters.uri</strong> is <strong id="admin_guide_000276__b1199115401386">jceks://</strong><em id="admin_guide_000276__i3270451171019">&lt;key_Path_Name&gt;</em>.<p class="litext" id="admin_guide_000276__p127201245887"><em id="admin_guide_000276__i122131055201019">&lt;key_Path_Name&gt;</em> indicates the path of the key file. For example, if the path of the key file is <span class="filepath" id="admin_guide_000276__filepath027352391016"><b>/home/hbase/conf/hbase.jks</b></span>, set this parameter to <strong id="admin_guide_000276__b0829175714511">jceks:///home/hbase/conf/hbase.jks</strong>.</p>
</li><li class="litext" id="admin_guide_000276__li20173496817">The format of <strong id="admin_guide_000276__b190191462">hbase.crypto.keyprovider.parameters.encryptedtext</strong> is <em id="admin_guide_000276__i1681813596106">&lt;encrypted_password&gt;</em>.<p class="litext" id="admin_guide_000276__p44151249580"><em id="admin_guide_000276__i545603151113">&lt;encrypted_password&gt;</em> indicates the encrypted password generated during the key file creation. The parameter value is displayed in ciphertext. Run the following command as user <strong id="admin_guide_000276__b14527650777">omm</strong> to obtain the related encrypted password on the nodes where HBase service is installed:</p>
<p class="litext" id="admin_guide_000276__p45494965194556"><strong id="admin_guide_000276__b11276387162825">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b37298170162825"><strong id="admin_guide_000276__b139214162825"><strong id="admin_guide_000276__b1252931162825">FusionInsight_HD_</strong></strong></strong></strong><strong id="admin_guide_000276__b15788101455520"><span id="admin_guide_000276__text143071994382">8.1.0.1</span></strong><strong id="admin_guide_000276__b30409042162825"><strong id="admin_guide_000276__b34378621162825"><strong id="admin_guide_000276__b40972140162825"><strong id="admin_guide_000276__b33204944162825">/install</strong></strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text1414611281195">2.2.3</span>/hbase/bin/hbase-encrypt.sh</strong></p>
<div class="note" id="admin_guide_000276__note14051194194556"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000276__p61213567194556">After running the command, you need to enter <strong id="admin_guide_000276__b87275138819">&lt;password&gt;</strong>. The password is the same as that entered in <a href="#admin_guide_000276__li61064812194556">1</a>.</p>
</div></div>
</li></ul>
</p></li><li id="admin_guide_000276__li64404921194556"><span>On <span id="admin_guide_000276__text1239004972412">MRS</span> Manager, set <strong id="admin_guide_000276__b2279114120817">hbase.crypto.key.algorithm</strong> to <strong id="admin_guide_000276__b114041444581">SMS4</strong> or <strong id="admin_guide_000276__b1062820231091">AES</strong> to use SMS4 or AES for HFile encryption.</span></li><li id="admin_guide_000276__li42773384194556"><span>On <span id="admin_guide_000276__text47729506240">MRS</span> Manager, set <strong id="admin_guide_000276__b123702496915">hbase.crypto.wal.algorithm</strong> to <strong id="admin_guide_000276__b153708491491">SMS4</strong> or <strong id="admin_guide_000276__b173711949294">AES</strong> to use SMS4 or AES for WAL encryption.</span></li><li id="admin_guide_000276__li49416137194556"><span>On <span id="admin_guide_000276__text288852132412">MRS</span> Manager, set <strong id="admin_guide_000276__b1684885613106">hbase.regionserver.wal.encryption</strong> to <strong id="admin_guide_000276__b276665915103">true</strong>.</span></li><li id="admin_guide_000276__li42092055194556"><a name="admin_guide_000276__li42092055194556"></a><a name="li42092055194556"></a><span>Save the settings and restart the HBase service for the settings to take effect.</span></li><li id="admin_guide_000276__li50092082194556"><a name="admin_guide_000276__li50092082194556"></a><a name="li50092082194556"></a><span>Create an HBase table through CLI or code and configure the encryption mode to enable encryption. <strong id="admin_guide_000276__b1323113197446">&lt;type&gt;</strong> indicates the encryption type, and <strong id="admin_guide_000276__b790113414411">d</strong> indicates the column family.</span><p><ul class="subitemlist" id="admin_guide_000276__ul5565786194556"><li id="admin_guide_000276__li18019214194556">When you create an HBase table through CLI, set the encryption mode to SMS4 or AES for the column family.<p id="admin_guide_000276__p31828296194556"><a name="admin_guide_000276__li18019214194556"></a><a name="li18019214194556"></a><strong id="admin_guide_000276__b54013283194556"><em id="admin_guide_000276__i43284178194556">create</em></strong> '<em id="admin_guide_000276__i16357499194556">&lt;table name&gt;</em>', {<em id="admin_guide_000276__i12999763194556">NAME =&gt; 'd'</em>, <strong id="admin_guide_000276__b46347855194556"><em id="admin_guide_000276__i49889004194556">ENCRYPTION =&gt; '</em></strong><em id="admin_guide_000276__i14477518194556">&lt;type&gt;</em><strong id="admin_guide_000276__b63188800194556">'</strong>}</p>
</li><li id="admin_guide_000276__li45357663194556">When you create an HBase table using code, set the encryption mode to SMS4 or AES by adding the following information to the code:<pre class="screen" id="admin_guide_000276__screen49778983194556">public void testCreateTable()
{
String tableName = "user";
Configuration conf = getConfiguration();
HTableDescriptor htd = new HTableDescriptor(TableName.valueOf(tableName));
HColumnDescriptor hcd = new HColumnDescriptor("<em id="admin_guide_000276__i102981335202619">d</em>");
//Set the encryption mode to SMS4 or AES.
<strong id="admin_guide_000276__b50270240194556">hcd.setEncryptionType("<em id="admin_guide_000276__i27955203194556">&lt;type&gt;</em>");</strong>
htd.addFamily(hcd);
HBaseAdmin admin = null;
try
{
admin = new HBaseAdmin(conf);
if(!admin.tableExists(tableName))
{
admin.createTable(htd);
}
}
catch (IOException e)
{
e.printStackTrace();
}
finally
{
if(admin != null)
{
try
{
admin.close();
}
catch (IOException e)
{
e.printStackTrace();
}
}
}
}</pre>
</li></ul>
</p></li><li id="admin_guide_000276__li39237956194556"><span>If you have configured SMS4 or AES encryption by performing <a href="#admin_guide_000276__li61064812194556">1</a> to <a href="#admin_guide_000276__li42092055194556">7</a>, but do not set the related encryption parameter when creating the table in <a href="#admin_guide_000276__li50092082194556">8</a>, the inserted data is not encrypted.</span><p><p id="admin_guide_000276__p22046902194556">In this case, you can perform the following steps to encrypt the inserted data:</p>
<ol type="a" id="admin_guide_000276__ol60251320194556"><li id="admin_guide_000276__li2687565194556">Run the <strong id="admin_guide_000276__b74286529149">flush</strong> command for the table to import the data in the memory to the HFile.<p class="litext" id="admin_guide_000276__p30124780194556"><strong id="admin_guide_000276__b40968631194556">flush</strong><em id="admin_guide_000276__i33173359194556">'&lt;table_name&gt;'</em></p>
</li><li id="admin_guide_000276__li49463053194556">Run the following commands to modify the table properties:<p class="litext" id="admin_guide_000276__p50598068194556"><a name="admin_guide_000276__li49463053194556"></a><a name="li49463053194556"></a><strong id="admin_guide_000276__b16366252194556">disable</strong><em id="admin_guide_000276__i13078548194556">'&lt;table_name&gt;'</em></p>
<p class="litext" id="admin_guide_000276__p1290758194556"><strong id="admin_guide_000276__b4802828194556">alter</strong><em id="admin_guide_000276__i721865181718">'</em><em id="admin_guide_000276__i1428915556176">&lt;table_name&gt;'<strong id="admin_guide_000276__b18289185514174">,</strong></em><strong id="admin_guide_000276__b6291175515170">NAME=&gt;</strong><em id="admin_guide_000276__i7157195810171">'&lt;column_name&gt;'<strong id="admin_guide_000276__b915745811175">,</strong></em><strong id="admin_guide_000276__b1815855814172">ENCRYPTION =&gt;</strong><em id="admin_guide_000276__i14158195831719"><strong id="admin_guide_000276__b1158135814173"> '</strong>&lt;type&gt;</em><strong id="admin_guide_000276__b143417194556">'</strong></p>
<p class="litext" id="admin_guide_000276__p12952435194556"><strong id="admin_guide_000276__b37442608194556">enable</strong><em id="admin_guide_000276__i870511371812">'</em><em id="admin_guide_000276__i1198600151817">&lt;table_name&gt;'</em></p>
</li><li id="admin_guide_000276__li52111122194556">Insert a new data record and flush the table.<div class="note" id="admin_guide_000276__note47084327194556"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000276__p42514294194556">A new data record must be inserted so that the HFile will generate a new HFile and the unencrypted data inserted previously will be rewritten and encrypted.</p>
</div></div>
<p class="litext" id="admin_guide_000276__p62509216194556"><strong id="admin_guide_000276__b55734125194556">put</strong><em id="admin_guide_000276__i31845085194556">'&lt;table_name&gt;'</em>,<strong id="admin_guide_000276__b29315089194556"><em id="admin_guide_000276__i10656142691816">'</em>id2','f1:c1','value222222222222222222222222222222222'</strong></p>
<p class="litext" id="admin_guide_000276__p20703205194556"><strong id="admin_guide_000276__b30081756194556">flush</strong><em id="admin_guide_000276__i2300356194556">'&lt;table_name&gt;'</em></p>
</li><li id="admin_guide_000276__li66346914194556">Perform the following step to rewrite the HFile:<div class="litext" id="admin_guide_000276__p1878231218206"><a name="admin_guide_000276__li66346914194556"></a><a name="li66346914194556"></a><strong id="admin_guide_000276__b157826127205">major_compact</strong>'<em id="admin_guide_000276__i678291210208">&lt;table_name&gt;'</em><div class="notice" id="admin_guide_000276__note1331931114205"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p class="cautiontext" id="admin_guide_000276__p531917118202">During this step, the HBase table is disabled and cannot provide services. Exercise caution when you perform this step.</p>
</div></div>
</div>
</li></ol>
</p></li></ol>
</div>
<div class="section" id="admin_guide_000276__s6a55bf3a91dd4ae880db8959ff5d0cad"><h4 class="sectiontitle">Modifying a Key File</h4><div class="notice" id="admin_guide_000276__en-us_topic_0046736703_note12218139"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p class="cautiontext" id="admin_guide_000276__en-us_topic_0046736703_p42854387">Modifying a key file has a great impact on the system and will cause data loss in case of any misoperation. Therefore, this operation is not recommended.</p>
</div></div>
<p id="admin_guide_000276__en-us_topic_0046736703_p50145164">During the <a href="#admin_guide_000276__s1948b0b624dc4a0caf5f17669ca5244d">HFile and WAL Encryption</a> operation, the related key file must be generated and its password must be set to ensure system security. After a period of running, you can replace the key file with a new one to encrypt HFile and WAL.</p>
<ol id="admin_guide_000276__ol19344369194747"><li id="admin_guide_000276__li37565880194747"><span>Run the following command to generate a new key file as user <strong id="admin_guide_000276__b10328192241717">omm</strong>:</span><p><p class="litext" id="admin_guide_000276__p41751642194747"><strong id="admin_guide_000276__b11514165014247">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b13514145018246"><strong id="admin_guide_000276__b1251325018242"><strong id="admin_guide_000276__b9513195072419"><strong id="admin_guide_000276__b18513550202417">FusionInsight_HD_<strong id="admin_guide_000276__b2434043125515"><span id="admin_guide_000276__text8280172219381">8.1.0.1</span></strong></strong></strong></strong></strong></strong><strong id="admin_guide_000276__b8146475104254"><strong id="admin_guide_000276__b105161450122412"><strong id="admin_guide_000276__b151616504249"><strong id="admin_guide_000276__b1451645042413"><strong id="admin_guide_000276__b251615042416">/install</strong></strong></strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text1957714541911">2.2.3</span>/hbase/bin/hbase-encrypt.sh</strong> <em id="admin_guide_000276__i497852172317">&lt;path&gt;/hbase.jks</em><em id="admin_guide_000276__i134417276239"> &lt;type&gt; &lt;length&gt; &lt;alias-new&gt;</em></p>
<ul id="admin_guide_000276__ul10442314192517"><li class="litext" id="admin_guide_000276__li10442814122518"><em id="admin_guide_000276__i1344241417250">&lt;path&gt;/hbase.jks</em>: indicates the path for storing the generated <strong id="admin_guide_000276__b1010265031712">hbase.jks</strong> file. The path and file name must be consistent with those of the key file generated in <a href="#admin_guide_000276__s1948b0b624dc4a0caf5f17669ca5244d">HFile and WAL Encryption</a>.</li><li class="litext" id="admin_guide_000276__li1344241452516"><em id="admin_guide_000276__i64421914182512">&lt;alias-new&gt;</em>: indicates the alias of the key file. The alias must be different with that of the old key file.</li><li class="litext" id="admin_guide_000276__li044271411251"><em id="admin_guide_000276__i617402211267">&lt;type&gt;</em>: indicates the encryption type, which can be SMS4 or AES.</li><li class="litext" id="admin_guide_000276__li17442121415258"><em id="admin_guide_000276__i13326124919204">&lt;length&gt;</em> indicates the key length. SMS4 supports 16-bit and AES supports 128-bit.</li></ul>
<p class="litext" id="admin_guide_000276__p87145293268">For example, to generate an SMS4 encryption key, run the following command:</p>
<p class="litext" id="admin_guide_000276__p13795394194747"><strong id="admin_guide_000276__b21272582267">sh ${BIGDATA_HOME}/</strong><strong id="admin_guide_000276__b37772767141443"><strong id="admin_guide_000276__b63849297141443">FusionInsight_HD_</strong></strong><strong id="admin_guide_000276__b7204152465510"><span id="admin_guide_000276__text16338193013382">8.1.0.1</span></strong><strong id="admin_guide_000276__b39695275141443"><strong id="admin_guide_000276__b4410586141443">/install</strong></strong><strong id="admin_guide_000276__b59137855104254">/FusionInsight-HBase-<span id="admin_guide_000276__text146551451191912">2.2.3</span>/hbase/bin/hbase-encrypt.sh /home/hbase/conf/hbase.jks SMS4 16 omm_new</strong></p>
<p class="litext" id="admin_guide_000276__p164771925132818">To generate an AES encryption key, run the following command:</p>
<p class="litext" id="admin_guide_000276__p57621787194747"><strong id="admin_guide_000276__b24885031141451">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b30133384141451"><strong id="admin_guide_000276__b2765003141451">FusionInsight_HD_</strong></strong></strong><strong id="admin_guide_000276__b7156825135514"><span id="admin_guide_000276__text8458193615385">8.1.0.1</span></strong><strong id="admin_guide_000276__b21794901141451"><strong id="admin_guide_000276__b22638694141451"><strong id="admin_guide_000276__b2421655141451">/install</strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text38254555191">2.2.3</span>/hbase/bin/hbase-encrypt.sh /home/hbase/conf/hbase.jks AES 128 omm_new</strong></p>
<div class="note" id="admin_guide_000276__note4173986194747"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="admin_guide_000276__ul463776194747"><li id="admin_guide_000276__li36853177194747">To ensure operations can be successfully performed, the <strong id="admin_guide_000276__b373110120217">&lt;path&gt;/hbase.jks</strong> directory needs to be created in advance, and the cluster operation user must have the <strong id="admin_guide_000276__b1273219117212">rw</strong> permission of this directory.</li><li id="admin_guide_000276__li22421152194747">After running the command, you need to enter the same <em id="admin_guide_000276__i63243145194747">&lt;password&gt;</em> for three times. This password is the password of the key file. You can use the password of the old file without any security risk.</li></ul>
</div></div>
</p></li><li id="admin_guide_000276__li5110157194747"><a name="admin_guide_000276__li5110157194747"></a><a name="li5110157194747"></a><span>Distribute the generated key files to the same directory on all nodes in the cluster and assign read and write permission to user <strong id="admin_guide_000276__b1431714916225">omm</strong>.</span><p><div class="note" id="admin_guide_000276__note22937416194747"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000276__p2548601194747">Administrators need to select a safe procedure to distribute keys based on the enterprise security requirements.</p>
</div></div>
</p></li><li id="admin_guide_000276__li34317298194747"><a name="admin_guide_000276__li34317298194747"></a><a name="li34317298194747"></a><span>On the HBase service configuration page of <span id="admin_guide_000276__text48622591246">MRS</span> Manager, add custom configuration items, set <span class="parmname" id="admin_guide_000276__parmname54538117313"><b>hbase.crypto.master.key.name</b></span> to <span class="parmvalue" id="admin_guide_000276__parmvalue11141721143114"><b>omm_new</b></span>, set <span class="parmname" id="admin_guide_000276__parmname2374103043113"><b>hbase.crypto.master.alternate.key.name</b></span> to <span class="parmvalue" id="admin_guide_000276__parmvalue585610374317"><b>omm</b></span>, and save the settings.</span></li><li id="admin_guide_000276__li40420234194747"><a name="admin_guide_000276__li40420234194747"></a><a name="li40420234194747"></a><span>Restart the HBase service for the configuration to take effect.</span></li><li id="admin_guide_000276__li52813507194747"><span>In HBase shell, run the <strong id="admin_guide_000276__b3497192863217">major compact</strong> command to generate the HFile file based on the new encryption algorithm.</span><p><p class="litext" id="admin_guide_000276__p28237788194747"><strong id="admin_guide_000276__b1777233811327">major_compact</strong> <em id="admin_guide_000276__i17350142113215">'&lt;table_name&gt;'</em></p>
</p></li><li id="admin_guide_000276__li47667874194747"><span>You can view the major compact progress from the HMaster web page.</span><p><p id="admin_guide_000276__p1868017527476"><span><img id="admin_guide_000276__image2106592871" src="en-us_image_0000001392734050.png"></span></p>
</p></li><li id="admin_guide_000276__li1787513619359"><span>When all items in <strong id="admin_guide_000276__b9201953152518">Compaction Progress</strong> reach <strong id="admin_guide_000276__b1472017574251">100%</strong> and those in <strong id="admin_guide_000276__b422913412269">Remaining KVs</strong> are <strong id="admin_guide_000276__b68321996262">0</strong>, run the following command as user <strong id="admin_guide_000276__b132171715102616">omm</strong> to destroy the old key file:</span><p><p id="admin_guide_000276__p263373711355"><strong id="admin_guide_000276__b1174710433910">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b3747246397"><strong id="admin_guide_000276__b1274713410392"><strong id="admin_guide_000276__b77471741396">FusionInsight_HD_<strong id="admin_guide_000276__b1477429135519"><span id="admin_guide_000276__text1724135663813">8.1.0.1</span></strong></strong></strong></strong></strong><strong id="admin_guide_000276__b27221148104254"><strong id="admin_guide_000276__b874810483911"><strong id="admin_guide_000276__b14748104123918"><strong id="admin_guide_000276__b674813419398">/install</strong></strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text1754511512014">2.2.3</span>/hbase/bin/hbase-encrypt.sh </strong><em id="admin_guide_000276__i35892557194747">&lt;path&gt;/hbase.jks &lt;alias-old&gt;</em></p>
<ul id="admin_guide_000276__ul13396141133713"><li class="litext" id="admin_guide_000276__li20396441153712"><em id="admin_guide_000276__i4526122492617">&lt;path&gt;/hbase.jks</em>: indicates the path for storing the generated <strong id="admin_guide_000276__b6527142482613">hbase.jks</strong> file. The path and file name must be consistent with those of the key file generated in <a href="admin_guide_000276.html">HFile and WAL Encryption</a>.</li><li class="litext" id="admin_guide_000276__li143969413375"><em id="admin_guide_000276__i1439674103711">&lt;alias-old&gt;</em>: indicates the alias of the old key file to be deleted.</li></ul>
<p class="litext" id="admin_guide_000276__p38951523123910">For example:</p>
<p class="litext" id="admin_guide_000276__p60257896194747"><strong id="admin_guide_000276__b230728614157">sh ${BIGDATA_HOME}/<strong id="admin_guide_000276__b3148633514157"><strong id="admin_guide_000276__b1494156514157"><strong id="admin_guide_000276__b25636514157">FusionInsight_HD_</strong></strong></strong></strong><strong id="admin_guide_000276__b183590321550"><span id="admin_guide_000276__text0599417143915">8.1.0.1</span></strong><strong id="admin_guide_000276__b3861274914157"><strong id="admin_guide_000276__b2076557914157"><strong id="admin_guide_000276__b5267248314157"><strong id="admin_guide_000276__b429030514157">/install</strong></strong></strong>/FusionInsight-HBase-<span id="admin_guide_000276__text125954919200">2.2.3</span>/hbase/bin/hbase-encrypt.sh /home/hbase/conf/hbase.jks omm</strong></p>
<div class="note" id="admin_guide_000276__note49051441194747"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="admin_guide_000276__p5450160194747">To ensure operations can be successfully performed, the <strong id="admin_guide_000276__b343355782917">&lt;path&gt;/hbase.jks</strong> directory needs to be created in advance, and the cluster operation user must have the <strong id="admin_guide_000276__b17440175792915">rw</strong> permission of this directory.</p>
</div></div>
</p></li><li id="admin_guide_000276__li56585252194747"><span>Repeat <a href="#admin_guide_000276__li5110157194747">2</a> and distribute the updated key files again.</span></li><li id="admin_guide_000276__li20002699194747"><span>Delete the HBase self-defined configuration item <strong id="admin_guide_000276__b112948353302">hbase.crypto.master.alternate.key.name</strong> added in <a href="#admin_guide_000276__li34317298194747">3</a> from <span id="admin_guide_000276__text7372191042519">MRS</span> Manager.</span></li><li id="admin_guide_000276__li9605914194747"><span>Repeat <a href="#admin_guide_000276__li40420234194747">4</a> for the configuration take effect.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000271.html">Security Hardening</a></div>
</div>
</div>
View Git Blame Copy Permalink