Updated on 2022-11-18 GMT+08:00

Authentication for accessing the HBase REST Service

Description

When installing the HBase service, you can optionally deploy the RESTServer instance. You can access the HBase REST service to invoke HBase operations, including operations on namespaces and tables. Kerberos authentication is also required for accessing the HBase REST service.

In this scenario, initial configuration is not required. Only the keytab and krb5.conf files used for Kerberos security authentication are required. For details, see README.md in the sample code.

The following code snippets belong to the HBaseRestTest class in the com.huawei.bigdata.hbase.examples package of the hbase-rest-example sample project.

  • Code authentication

    Change principal to the actual user name, for example, developuser.

    In Windows and Linux environments, use the corresponding path to obtain the file.

             //In Windows environment
            String userdir = HBaseRestTest.class.getClassLoader().getResource("conf").getPath() + File.separator;[1]
            //In Linux environment
            //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;
            String principal = "hbaseuser1";
            login(principal, userKeytabFile, krb5File);
            // RESTServer's hostname.
            String restHostName = "10.120.16.170";[2]
            String securityModeUrl = new StringBuilder("https://").append(restHostName).append(":21309").toString();
            String nonSecurityModeUrl = new StringBuilder("http://").append(restHostName).append(":21309").toString();
            HBaseRestTest test = new HBaseRestTest();
    
            //If cluster is non-security mode,use nonSecurityModeUrl as  parameter.
            test.test(securityModeUrl);[3]

    [1] userdir obtains the conf directory in the resource path after compilation. Save the core-site.xml, hdfs-site.xml, and hbase-site.xml configuration files required for initialization and the user credential file used for security authentication to the src/main/resources directory. If the conf directory does not exist, create it.

    [2] Change the value of restHostName to the IP address of the node where the RestServer instance to be accessed is located, and configure the node IP address in the hosts file on the local host where the sample code is run.

    [3] In security mode, access the HBase REST service in HTTPS mode and use nonSecurityModeUrl as the test.test() parameter.

  • Security login
        private static void login(String principal, String userKeytabFile, String krb5File) throws LoginException {
            Map<String, String> options = new HashMap<>();
            options.put("useTicketCache", "false");
            options.put("useKeyTab", "true");
            options.put("keyTab", userKeytabFile);
     
            /**
             * Krb5 in GSS API needs to be refreshed so it does not throw the error
             * Specified version of key is not available
             */
     
            options.put("refreshKrb5Config", "true");
            options.put("principal", principal);
            options.put("storeKey", "true");
            options.put("doNotPrompt", "true");
            options.put("isInitiator", "true");
            options.put("debug", "true");
            System.setProperty("java.security.krb5.conf", krb5File);
            Configuration config = new Configuration() {
                @Override
                public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
                    return new AppConfigurationEntry[] {
                        new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)
                    };
                }
            };
            subject = new Subject(false, Collections.singleton(new KerberosPrincipal(principal)), Collections.EMPTY_SET,
                Collections.EMPTY_SET);
            LoginContext loginContext = new LoginContext("Krb5Login", subject, null, config);
            loginContext.login();
    }