Open hsohans opened 3 years ago
Hello @hsohans
Kerberos can be configured at pinpoint.
Inherit the HbaseSecurityInterceptor interface, Implement the code for kerberos access. And the implemented class must be registered as a bean object.
The process method of the HbaseSecurityInterceptor class is called when establishing a connection with hbase.
There is a sample code link.
@minwoo-jung
thank you for telling me.
I'll apply it after checking that part.
@minwoo-jung
How about upgrading hbase-shaded-client
version? Since HBase >= 2.2.0, hbase client supports client login via keytab. Pinpoint uses ConnectionFactory.createConnection already.
However, it uses hbase-shaded-client 1.7.2.
If it uses hbase-shaded-client >= 2.2.0, I think Pinpoint users can access kerberized HBase cluster also with following configurations.
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.client.keytab.file</name>
<value>/local/path/to/client/keytab</value>
</property>
<property>
<name>hbase.client.keytab.principal</name>
<value>foo@EXAMPLE.COM</value>
</property>
@eubnara Hi I will check your comment.
@eubnara From what you said, it looks like you only need to upgrade the hbase version. We already provide a hbase2-module using hbase-client version 2.4.11. I think you can use this module. What do you think?
@eubnara In addition, we will end support for hbase 1.X soon. So, in the future, only the hbase 2.X version will be officially supported, and the hbase client version will also be set to use the 2.X version by default.
Thanks for reply! I'll try to use hbase2 module first to access kerberized hbase.
My teammate has been succeeded to connect kerberized hbase with hbase-site.xml added in classpath with configurations as follows: (according to hbase guide: https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation)
hbase.client.keytab.file
hbase.client.keytab.principal
@eubnara Thanks for sharing your results. It will be very helpful for users.
I have one suggestion. How about upgrading hbase2.client.version
>= 2.5.0 to support hbase.unsafe.client.kerberos.hostname.disable.reversedns
?
(https://issues.apache.org/jira/browse/HBASE-25665)
In k8s cluster environment, it is needed to disable reverse DNS lookup for some cases.
@eubnara That's good info. We will upgrade the version to hbase client 2.5.x.
Hi, I have a question.
For security reasons, I want to configure kerberos on Hbase or Hadoop.
"We don't support setting kerberos in 2018." Is it the same now?
The link I checked is "https://github.com/pinpoint-apm/pinpoint/issues/3737".
Please answer about my question.