Configure Kerberos for HBase Thrift Gateway

  1. Add the following to the hbase-site.xml file for every Thrift gateway:
    <property>
        <name>hbase.thrift.keytab.file</name>
        <value>$KEYTAB</value>
    </property>
    <property>
        <name>hbase.thrift.kerberos.principal</name>
        <value>$USER/_HOST@HADOOP.LOCALDOMAIN</value>
        <!-- This may need to be HTTP/_HOST@<REALM> and _HOST may not work. You may have to put the concrete full hostname. -->
    </property>
    <property>
       <name>hbase.thrift.security.qop</name>
       <value>privacy</value>
    </property>
    <!-- Add these if you need to configure a different DNS interface from the default -->
    <property>
        <name>hbase.thrift.dns.interface</name>
        <value>default</value>
    </property>
    <property>
        <name>hbase.thrift.dns.nameserver</name>
        <value>default</value>
    </property>

    Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively.

  2. To use MapR Database tables without the full path, add the following property to the core-site.xml file:
    <property>
        <name>hbase.table.namespace.mappings</name>
        <value>*:/</value>
    </property>

    For more information about mapping tables, see Mapping to HBase Table Namespaces.

The Thrift gateway authenticates with HBase using the supplied credential. No authentication is performed by the Thrift gateway itself. All client access via the Thrift gateway uses the Thrift gateway’s credential and has its privilege.