Updated on 2023-08-31 GMT+08:00

Security Authentication for HBase Data Read and Write (Single-Cluster Scenario)

Scenario

In a security cluster environment, the components must be mutually authenticated before communicating with each other to ensure communication security. ZooKeeper and Kerberos security authentications are required for HBase application development. The jaas.conf file is used for ZooKeeper authentication, and the keytab and krb5.conf files are used for Kerberos security authentication. For details, see the README.md file of the sample code.

The code authentication mode is used for security authentication. Oracle Java and IBM Java are supported.

The following code snippet belongs to the TestMain class of the com.huawei.bigdata.hbase.examples packet.

  • Code authentication
    try {
       init();
       login();
       } 
    catch (IOException e) {
       LOG.error("Failed to login because ", e);
       return;
    }
  • Initializing configuration
    private static void init() throws IOException {
            // Default load from conf directory
            conf = HBaseConfiguration.create();
            //In Windows environment
            String userdir = TestMain.class.getClassLoader().getResource("conf").getPath() + File.separator;[1]
            //In Linux environment
            //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;
            conf.addResource(new Path(userdir + "core-site.xml"), false);
            conf.addResource(new Path(userdir + "hdfs-site.xml"), false);
            conf.addResource(new Path(userdir + "hbase-site.xml"), false);
    }

    [1] userdir obtains the conf directory in the resource path after compilation.

Prerequisites

You have obtained the configuration file and authentication file required for running the sample project. For details, see Preparing the Configuration Files for Connecting to the Cluster.

Configuring Secure Login

In the TestMain class of the com.huawei.bigdata.hbase.examples package, change userName to the actual username, for example, developuser.

private static void login() throws IOException {
        if (User.isHBaseSecurityEnabled(conf)) {
            userName = "developuser";
           
            //In Windows environment
            String userdir = TestMain.class.getClassLoader().getResource("conf").getPath() + File.separator;
            //In Linux environment
            //String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;
 
            /*
             * if need to connect zk, please provide jaas info about zk. of course,
             * you can do it as below:
             * System.setProperty("java.security.auth.login.config", confDirPath +
             * "jaas.conf"); but the demo can help you more : Note: if this process
             * will connect more than one zk cluster, the demo may be not proper. you
             * can contact us for more help
             */
            LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, userName, userKeytabFile);
            LoginUtil.login(userName, userKeytabFile, krb5File, conf);
        }
}