Configuring Lily HBase Indexer Security
Beginning with CDH 5.4 the Lily HBase Indexer includes an HTTP interface for the list-indexers, create-indexer, update-indexer, and delete-indexer commands. This interface can be secured with Kerberos for authentication and Apache Sentry for authorization.
Configuring Lily HBase Indexer Service to Use Kerberos Authentication
To configure the Lily HBase Indexer to use Kerberos authentication, you must create principals and keytabs and then modify certain configuration properties. If you are using Cloudera Manager to manage your cluster, much of this is handled automatically. For unmanaged environments, you must generate the Kerberos principals and keytabs manually.
For more an overview of Kerberos concepts (including principals and keytabs), see Kerberos Security Artifacts Overview.
To enable Kerberos authentication for the Lily HBase Indexer service:
Cloudera Manager:
- Go to .
- Select the kerberos option for HBase Indexer Secure Authentication.
- Click Save Changes.
- Go to .
- Click Generate Missing Credentials.
- Restart the indexer service ( ).
Unmanaged:
- Create principals and keytabs. To complete these steps you must have Kerberos administrator credentials. Perform this procedure on each Lily HBase Indexer host:
- Launch the kadmin utility after authenticating with your Kerberos administrator credentials. For example:
$ kinit jdoe/admin@EXAMPLE.COM Password for jdoe/admin@EXAMPLE.COM: $ kadmin Authenticating as principal jdoe/admin@EXAMPLE.COM with password. Password for jdoe/admin@EXAMPLE.COM: kadmin:
- Create Lily HBase Indexer service user principals using the format hbase/lily01.example.com@EXAMPLE.COM. This principal is used to authenticate with the
Hadoop cluster. Replace lily01.example.com with the Lily HBase Indexer host, and EXAMPLE.COM with your Kerberos realm name:
kadmin: addprinc -randkey hbase/lily01.example.com@EXAMPLE.COM
- Create an HTTP service user principal using the format HTTP/lily01.example.com@EXAMPLE.COM. This principal is used to authenticate user requests coming
to the Lily HBase Indexer web services. Replace lily01.example.com with the Lily HBase Indexer host, and EXAMPLE.COM with your Kerberos
realm name:
kadmin: addprinc -randkey HTTP/lily01.example.com@EXAMPLE.COM
- Create a keytab file containing both the HTTP/ and hbase/ principals. For example:
kadmin: xst -norandkey -k /tmp/hbase.keytab hbase/lily01.example.com@EXAMPLE.COM \ HTTP/lily01.example.com@EXAMPLE.COM
- Exit the kadmin utility by using the quit or exit command.
- Check the keytabs to make sure that both the HTTP/ and hbase/ principals are present, and that they have the same hostname
component. For example:
$ klist -ekt /tmp/hbase.keytab
- Copy the hbase.keytab file to the Lily HBase Indexer configuration directory. Make sure that the owner of the hbase.keytab file is the hbase user and the file has owner-only read permissions.
- Repeat this procedure on each Lily HBase Indexer host.
- Launch the kadmin utility after authenticating with your Kerberos administrator credentials. For example:
- Configure each Lily HBase Indexer host to use Kerberos authentication:
- Modify the hbase-indexer-site.xml file as follows:
<property> <name>hbaseindexer.authentication.type</name> <value>kerberos</value> </property> <property> <name>hbaseindexer.authentication.kerberos.keytab</name> <value>hbase.keytab</value> </property> <property> <name>hbaseindexer.authentication.kerberos.principal</name> <value>HTTP/lily01.example.com@EXAMPLE.COM</value> </property> <property> <name>hbaseindexer.authentication.kerberos.name.rules</name> <value>DEFAULT</value> </property>
- Set up the Java Authentication and Authorization Service (JAAS) configuration file. Create a jaas.conf file in
the configuration directory containing the following settings. Replace the values with the correct ones for your environment:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false keyTab="/etc/hbase-solr/conf/hbase.keytab" principal="hbase/lily01.example.com@EXAMPLE.COM"; };
- Modify hbase-indexer-env.sh in the configuration directory to add the JAAS configuration to the system properties. You can do this by adding -Djava.security.auth.login.config to the HBASE_INDEXER_OPTS. For example:
HBASE_INDEXER_OPTS = "$HBASE_INDEXER_OPTS -Djava.security.auth.login.config=/etc/hbase-solr/conf/jaas.conf"
- Make these changes on each Lily HBase Indexer host.
- Modify the hbase-indexer-site.xml file as follows:
Configuring the Lily HBase Indexer Service to Use the Sentry Service
The Lily HBase Indexer service uses Apache Sentry for authorization. To use Sentry for authorization, you must use the indexer HTTP interface.
If you are using policy files for Sentry, and want to switch to the Sentry service, see Migrating From Sentry Policy Files to the Sentry Service.
To configure the Lily HBase Indexer to use the Sentry Service:
Cloudera Manager:
- Go to .
- Make sure that the box labeled Enable Sentry Authorization using Policy Files is unchecked.
- Click the Main category in the left pane.
- Select the Sentry Service for the cluster (SENTRY-1 by default).
- Click Save Changes.
- Restart stale services ( ).
Unmanaged:
- Add the following properties to hbase-indexer-site.xml on each Lily HBase Indexer host:
<property> <name>sentry.hbaseindexer.sentry.site</name> <value>/path/to/sentry-site.xml</value> </property> <property> <name>hbaseindexer.rest.resource.package</name> <value>org/apache/sentry/binding/hbaseindexer/rest</value> </property>
- Edit the specified sentry-site.xml file (on each Lily HBase Indexer host) to add or modify the following properties:
<property> <name>sentry.service.server.principal</name> <value>sentry/_HOST@EXAMPLE.COM</value> </property> <property> <name>sentry.service.security.mode</name> <value>kerberos</value> </property> <property> <name>sentry.service.client.server.rpc-address</name> <value>sentry-1.example.com</value> </property> <property> <name>sentry.service.client.server.rpc-port</name> <value>8038</value> </property> <property> <name>sentry.hbaseindexer.provider.backend</name> <value>org.apache.sentry.provider.db.generic.SentryGenericProviderBackend</value> </property> <property> <name>sentry.provider.backend.generic.service-name</name> <value>hbase-indexer-1</value> </property>
- Restart the Lily HBase Indexer service on each host:
$ sudo service hbase-solr-indexer restart
Configuring the Lily HBase Indexer Service to Use Sentry Policy Files
The Lily HBase Indexer service uses Apache Sentry for authorization. To use Sentry for authorization, you must use the indexer HTTP interface.
Before CDH 5.14.0, Lily HBase Indexer supported only Sentry policy files. In CDH 5.14.0 and higher, it supports the Sentry service, and includes a command line utility (hbase-indexer-sentry) for configuring Sentry. Cloudera recommends using the Sentry Service. To migrate your policy files to the Sentry Service, see Migrating From Sentry Policy Files to the Sentry Service.
To configure Sentry policy files for the Lily HBase Indexer:
Cloudera Manager:
- Go to .
- Check the box labeled Enable Sentry Authorization using Policy Files.
- If necessary, edit Sentry Global Policy File to change the HDFS location of the sentry-provider.ini file.
- Click Save Changes.
- Restart the service ( ).
- Upload the sentry-provider.ini file to the specified location in HDFS. For example:
- Security Enabled:
$ kinit hdfs@EXAMPLE.COM $ hdfs dfs -mkdir -p /user/hbaseindexer/sentry/ $ hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/ $ hdfs dfs -chown -R hbase:hbase /user/hbaseindexer
- Security Disabled:
$ sudo -u hdfs hdfs dfs -mkdir -p /user/hbaseindexer/sentry/ $ sudo -u hdfs hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/ $ sudo -u hdfs hdfs dfs -chown -R hbase:hbase /user/hbaseindexer
- Security Enabled:
Unmanaged:
- Add the following properties to hbase-indexer-site.xml on each Lily HBase Indexer host:
<property> <name>sentry.service.server.principal</name> <value>sentry/_HOST@EXAMPLE.COM</value> </property> <property> <name>sentry.service.security.mode</name> <value>kerberos</value> </property> <property> <name>sentry.hbaseindexer.sentry.site</name> <value>/path/to/sentry-site.xml</value> </property> <property> <name>hbaseindexer.rest.resource.package</name> <value>org/apache/sentry/binding/hbaseindexer/rest</value> </property>
- Edit the referenced sentry-site.xml file to set the HDFS location of the sentry-provider.ini policy file:
<property> <name>sentry.hbaseindexer.provider.resource</name> <value>/user/hbaseindexer/sentry/sentry-provider.ini</value> </property>
- Upload the sentry-provider.ini file to the specified location in HDFS. For example:
- Security Enabled:
$ kinit hdfs@EXAMPLE.COM $ hdfs dfs -mkdir -p /user/hbaseindexer/sentry/ $ hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/ $ hdfs dfs -chown -R hbase:hbase /user/hbaseindexer
- Security Disabled:
$ sudo -u hdfs hdfs dfs -mkdir -p /user/hbaseindexer/sentry/ $ sudo -u hdfs hdfs dfs -put /path/to/local/sentry-provider.ini /user/hbaseindexer/sentry/ $ sudo -u hdfs hdfs dfs -chown -R hbase:hbase /user/hbaseindexer
- Security Enabled:
- Restart the Lily HBase Indexer service on each host:
$ sudo service hbase-solr-indexer restart
Managing Sentry Permissions for the Lily HBase Indexer
The Lily HBase Indexer privilege model specifies READ and WRITE privileges for each indexer. The privileges work as follows:
- If a role has WRITE privilege for indexer1, that role can create, update, or delete an indexer named indexer1, using the hbase-indexer command.
- READ privileges control what a user can see when running the hbase-indexer list-indexers command. If a role has READ privileges for indexer1, the command output lists indexer1 if it exists. If an indexer named indexer2 exists, but the role does not have READ privileges for it, that indexer is omitted from the response.
For example, consider the following privileges defined in a policy file:
[groups] jdoe = admin psherman = readonly [roles] admin = indexer=* readonly = indexer=*->action=READ
This policy file grants the jdoe user full access to all indexers, and the psherman user read access to all indexers. User psherman can see all indexers, but cannot create new ones or modify existing ones.
Before CDH 5.14.0, Lily HBase Indexer supported only Sentry policy files. In CDH 5.14.0 and higher, it supports the Sentry service, and includes a command line utility (hbase-indexer-sentry) for configuring Sentry. The command syntax is as follows:
/opt/cloudera/parcels/CDH/bin/hbase-indexer-sentry Missing required option: [-lp List privilege, -rpr Revoke privilege from role, -lr List role, -arg Add role to group, -drg Delete role from group, -gpr Grant privilege to role, -mgr Migrate ini file to Sentry service, -dr Drop role, -cr Create role] usage: sentryShell -arg,--add_role_group Add role to group -c,--checkcompat Check compatibility with Sentry Service -conf,--sentry_conf <arg> sentry-site file path -cr,--create_role Create role -dr,--drop_role Drop role -drg,--delete_role_group Delete role from group -f,--policy_ini <arg> Policy file path -g,--groupname <arg> Group name -gpr,--grant_privilege_role Grant privilege to role -h,--help Shell usage -i,--import Import policy file -lp,--list_privilege List privilege -lr,--list_role List role -mgr,--migrate Migrate ini file to Sentry service -p,--privilege <arg> Privilege string -r,--rolename <arg> Role name -rpr,--revoke_privilege_role Revoke privilege from role -s,--service <arg> Name of the service being managed -t,--type <arg> [hive|solr|sqoop|.....] -v,--validate Validate policy file
Granting Privileges to a Role
- Authenticate as Sentry admin.
- Create the test role:
hbase-indexer-sentry -s "KS_INDEXER-1" -cr -r test
If you have modified your service name from the default, replace KS_INDEXER-1 with your custom service name.
- Assign the role to the group testGroup:
hbase-indexer-sentry -s "KS_INDEXER-1" -arg -r test -g testGroup
- Verify that the test role is part of the group testGroup:
hbase-indexer-sentry -s "KS_INDEXER-1" -lr -g testGroup
- Grant priviliges to test role:
hbase-indexer-sentry -s "KS_INDEXER-1" -gpr -r test -p "indexer=lilytestindexer->action=*"
- Revoke priviliges from test role:
hbase-indexer-sentry -s "KS_INDEXER-1" -rpr -r test -p "indexer=lilytestindexer->action=*"
Migrating From Sentry Policy Files to the Sentry Service
If you have upgraded to CDH 5.14.0 or higher, and want to use the Sentry Service, you can migrate your policy files using the hbase-indexer-sentry utility:
/opt/cloudera/parcels/CDH/bin/hbase-indexer-sentry -mgr -i -v -f "file://path/to/sentry-provider.ini"
This command validates and imports the specified policy file to the Sentry Service. For more information on the command usage and syntax, see Managing Sentry Permissions for the Lily HBase Indexer.