Chapter 8. Securing Apache HBase

Table of Contents

8.1. Using Secure HTTP (HTTPS) for the Web UI
8.2. Secure Client Access to Apache HBase
8.2.1. Prerequisites
8.2.2. Server-side Configuration for Secure Operation
8.2.3. Client-side Configuration for Secure Operation
8.2.4. Client-side Configuration for Secure Operation - Thrift Gateway
8.2.5. Configure the Thrift Gateway to Authenticate on Behalf of the Client
8.2.6. Client-side Configuration for Secure Operation - REST Gateway
8.2.7. REST Gateway Impersonation Configuration
8.3. Simple User Access to Apache HBase
8.3.1. Simple Versus Secure Access
8.4. Securing Access To Your Data
8.4.1. Tags
8.4.2. Access Control Labels (ACLs)
8.4.3. Visibility Labels
8.4.4. Transparent Encryption of Data At Rest
8.4.5. Secure Bulk Load
8.5. Security Configuration Example

HBase provides mechanisms to secure various components and aspects of HBase and how it relates to the rest of the Hadoop infrastructure, as well as clients and resources outside Hadoop.

8.1. Using Secure HTTP (HTTPS) for the Web UI

A default HBase install uses insecure HTTP connections for web UIs for the master and region servers. To enable secure HTTP (HTTPS) connections instead, set hadoop.ssl.enabled to true in hbase-site.xml. This does not change the port used by the Web UI. To change the port for the web UI for a given HBase component, configure that port's setting in hbase-site.xml. These settings are:

  • hbase.master.info.port

  • hbase.regionserver.info.port

If you enable HTTPS, clients should avoid using the non-secure HTTP connection.

If you enable secure HTTP, clients should connect to HBase using the https:// URL. Clients using the http:// URL will receive an HTTP response of 200, but will not receive any data. The following exception is logged:

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

This is because the same port is used for HTTP and HTTPS.

HBase uses Jetty for the Web UI. Without modifying Jetty itself, it does not seem possible to configure Jetty to redirect one port to another on the same host. See Nick Dimiduk's contribution on this Stack Overflow thread for more information. If you know how to fix this without opening a second port for HTTPS, patches are appreciated.

comments powered by Disqus