Help Center> MapReduce Service> Developer Guide (LTS)> HBase Development Guide (Security Mode)> Environment Preparation> Preparing for Security Authentication> Authentication for Accessing the ThriftServer Service
Updated on 2022-07-11 GMT+08:00
View PDF

Authentication for Accessing the ThriftServer Service

Scenario

HBase combines Thrift to provide HBase services for external applications. The ThriftServer instance is optional during HBase service installation. The ThriftServer system can access HBase users and has the read, write, execute, creation, and management permissions on all HBase namespaces and tables. Kerberos authentication is also required for accessing the ThriftServer service. HBase implements two sets of Thrift Server services. hbase-thrift-example is used to call the ThriftServer instance service.

Procedure

  1. Log in to FusionInsight Manager, choose Cluster > Service > HBase > Configuration and click All Configurations, search for and modify the parameter hbase.thrift.security.qop of the ThriftServer instance. The value of this parameter must be the same as that of hbase.rpc.protection. Save the configuration and restart the node service for the configuration to take effect.

    The mapping between hbase.rpc.protection and hbase.thrift.security.qop is as follows:

    • "privacy" - "auth-conf"
    • "authentication" - "auth"
    • "integrity" - "auth-int"

  2. Obtain the configuration file of the ThriftServer instance in the cluster.

    • Method 1: Choose Cluster > Service > HBase > Instance, click the ThriftServer instance to go to the details page, and obtain the configuration files hdfs-site.xml, core-site.xml, and hbase-site.xml.
    • Method 2: Obtain the configuration files by decompressing the client file in Preparing for Development and Operating Environment. Manually add the following configuration to hbase-site.xml. The value of hbase.thrift.security.qop must be the same as that in 1.
      <property>
<name>hbase.thrift.security.qop</name>
<value>auth</value>
</property>
<property>
<name>hbase.thrift.kerberos.principal</name>
<value>thrift/hadoop.hadoop.com@HADOOP.COM</value>
</property>
<property>
<name>hbase.thrift.keytab.file</name><value>/opt/huawei/Bigdata/FusionInsight_HD_8.1.2.2/install/FusionInsight-HBase-2.2.3/keytabs/HBase/thrift.keytab</value>
</property>

Example Code

  • Code authentication
    The following code snippets belong to the TestMain class in the com.huawei.bigdata.hbase.examples package of the hbase-thrift-example sample project. 
        private static void init() throws IOException {
        // Default load from conf directory
        conf = HBaseConfiguration.create();

        String userdir = TestMain.class.getClassLoader().getResource("conf").getPath() + File.separator;[1]
        //In Linux environment
        //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;
        conf.addResource(new Path(userdir + "core-site.xml"), false);
        conf.addResource(new Path(userdir + "hdfs-site.xml"), false);
        conf.addResource(new Path(userdir + "hbase-site.xml"), false);
}

    [1] userdir obtains the conf directory in the resource path after compilation. The core-site.xml, hdfs-site.xml, and hbase-site.xml files used for initialization configuration and the user credential file used for security authentication must be stored in the src/main/resources/conf directory.

  • Security login
    Set userName to the actual username based on the actual situation, for example, developuser. 
        private static void login() throws IOException {
        if (User.isHBaseSecurityEnabled(conf)) {
            userName = " developuser ";

            //In Windows environment
            String userdir = TestMain.class.getClassLoader().getResource("conf").getPath() + File.separator;
            //In Linux environment
            //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;

            userKeytabFile = userdir + "user.keytab";
            krb5File = userdir + "krb5.conf";
 
            /*
             * if need to connect zk, please provide jaas info about zk. of course,
             * you can do it as below:
             * System.setProperty("java.security.auth.login.config", confDirPath +
             * "jaas.conf"); but the demo can help you more : Note: if this process
             * will connect more than one zk cluster, the demo may be not proper. you
             * can contact us for more help
             */
            LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, userName, userKeytabFile);
            LoginUtil.login(userName, userKeytabFile, krb5File, conf);
        }
}
  • Connecting to a ThriftServer instance
        try {    
        test = new ThriftSample();    
        test.test("10.120.16.170", THRIFT_PORT, conf);[2]
    } catch (TException | IOException e) {
        LOG.error("Test thrift error", e);
    }

    [2] The value of the input parameter test.test() is the IP address of the node where the ThriftServer instance to be accessed is located. Change the IP address to the actual one. The IP address of the node must be configured in the hosts file of the local host where the sample code is run.

    THRIFT_PORT is the value of hbase.regionserver.thrift.port configured for the ThriftServer instance.