Authentication for accessing the HBase REST Service
Description
When installing the HBase service, you can optionally deploy the RESTServer instance. You can access the HBase REST service to invoke HBase operations, including operations on namespaces and tables. Kerberos authentication is also required for accessing the HBase REST service.
In this scenario, initial configuration is not required. Only the keytab and krb5.conf files used for Kerberos security authentication are required. For details, see README.md in the sample code.
The following code snippets belong to the HBaseRestTest class in the com.huawei.bigdata.hbase.examples package of the hbase-rest-example sample project.
- Code authentication
Change principal to the actual user name, for example, developuser.
In Windows and Linux environments, use the corresponding path to obtain the file.
//In Windows environment String userdir = HBaseRestTest.class.getClassLoader().getResource("conf").getPath() + File.separator;[1] //In Linux environment //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator; String principal = "hbaseuser1"; login(principal, userKeytabFile, krb5File); // RESTServer's hostname. String restHostName = "10.120.16.170";[2] String securityModeUrl = new StringBuilder("https://").append(restHostName).append(":21309").toString(); String nonSecurityModeUrl = new StringBuilder("http://").append(restHostName).append(":21309").toString(); HBaseRestTest test = new HBaseRestTest(); //If cluster is non-security mode,use nonSecurityModeUrl as parameter. test.test(securityModeUrl);[3]
[1] userdir obtains the conf directory in the resource path after compilation. Save the core-site.xml, hdfs-site.xml, and hbase-site.xml configuration files required for initialization and the user credential file used for security authentication to the src/main/resources directory. If the conf directory does not exist, create it.
[2] Change the value of restHostName to the IP address of the node where the RestServer instance to be accessed is located, and configure the node IP address in the hosts file on the local host where the sample code is run.
[3] In security mode, access the HBase REST service in HTTPS mode and use nonSecurityModeUrl as the test.test() parameter.
- Security login
private static void login(String principal, String userKeytabFile, String krb5File) throws LoginException { Map<String, String> options = new HashMap<>(); options.put("useTicketCache", "false"); options.put("useKeyTab", "true"); options.put("keyTab", userKeytabFile); /** * Krb5 in GSS API needs to be refreshed so it does not throw the error * Specified version of key is not available */ options.put("refreshKrb5Config", "true"); options.put("principal", principal); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("isInitiator", "true"); options.put("debug", "true"); System.setProperty("java.security.krb5.conf", krb5File); Configuration config = new Configuration() { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { return new AppConfigurationEntry[] { new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; } }; subject = new Subject(false, Collections.singleton(new KerberosPrincipal(principal)), Collections.EMPTY_SET, Collections.EMPTY_SET); LoginContext loginContext = new LoginContext("Krb5Login", subject, null, config); loginContext.login(); }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.