Enable Impersonation for HBase REST Gateway

To enable HBase REST Gateway impersonation, configure all HBase servers to allow proxy users, then configure every REST Gateway to enable impersonation.

  1. To allow proxy users, add the following to the hbase-site.xml file for every HBase server (masters and region servers):
    <property>
        <name>hadoop.security.authorization</name>
        <value>true</value>
    </property>
    <property>
        <name>hadoop.proxyuser.$USER.groups</name>
        <value>$GROUPS</value>
    </property>
    <property>
        <name>hadoop.proxyuser.$USER.hosts</name>
        <value>$GROUPS</value>
    </property>

    Substitute the REST Gateway proxy user for $USER, and the allowed group list for $GROUPS.

  2. To enable REST Gateway impersonation, add the following to the hbase-site.xml file for every REST gateway:
    <property>
        <name>hbase.rest.authentication.type</name>
        <value>kerberos</value>
    </property>
    <property>
        <name>hbase.rest.authentication.kerberos.principal</name>
        <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
    </property>
    <property>
        <name>hbase.rest.authentication.kerberos.keytab</name>
        <value>$KEYTAB</value>
    </property>

    Substitute the keytab for HTTP for $KEYTAB.