HBase UI - stanislawbartkowski/hdpwiredencryption GitHub Wiki

Enable SSL for HBase UI

Enabling secure HTTP for HBase UI is simple and straightforward. Details:

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.5/configuring-wire-encryption/content/enable_ssl_on_the_hbase_web_ui.html

Prepare HBase UI keystore

The secure keystore can be created as a self-signed or CA Certificate. The keystore should be created on HBase Master node. In case of HA enabled, the same copy of keystore and trustore should be located on both nodes at the same directory.

Create self-signed:

cd /etc/hbase/conf
keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore keystore-ui.jks
chown hbase:hadoop keystore-ui.jks
chmod 400 keystore-ui.jks

Make sure that password is correct.

keytool -list -keystore keystore-ui.jks

Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

cert, 2020-10-05, trustedCertEntry, 
Certificate fingerprint (SHA1): 9E:01:C8:73:41:17:6E:7E:50:E9:CE:CB:F8:CA:23:03:FC:4C:25:FC

Configure

HBase->Configs->Advanced
Custom hbase-site

Parameter Value
hbase.ssl.enabled true
hadoop.ssl.enabled true
ssl.server.keystore.keypassword No necessary is entry is not protected by password
ssl.server.keystore.password secret
ssl.server.keystore.location /etc/hbase/conf/keystore-ui.jks

Restart HBase

Test

Launch UI related to HBase and make sure that it opens as secure HTTP.

Ranger HBase Plugin for SSL

Create keystores

Very similar steps like HDFS plugin by tailored for HBase

https://github.com/stanislawbartkowski/hdpwiredencryption/wiki/SSL-Ranger-UI-HDFS-Ranger-Plugin#hdfs-ranger-plugin

On HBase Master node, prepare Ranger plugin keystore

cd /etc/hbase/conf

Important: keep in mind CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.

keytool -genkey -keyalg RSA -alias rangerHBaseAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048

Enter keystore password:  
What is your first and last name?
  [Unknown]:  rangerhbaseplugin
What is the name of your organizational unit?
  [Unknown]:  AA
What is the name of your organization?
  [Unknown]:  BB

Create HBase Ranger plugin truststore, import Ranger Admin certificate

keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks

Secure stores

chown hbase: *.jks
chmod 400 *jks

Distribute both keystores to all nodes where HBase Region servers are installed. Pay attention to assign proper owner and modes after copying is completed, can be lost by scp command.

Export HBase plugin certificate

keytool -export -keystore ranger-plugin-keystore.jks -alias rangerHBaseAgent -file ranger-hbaseAgent-trust.cer

On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.

cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-hbaseAgent-trust.cer -alias rangerHBaseAgentTrust -keystore ranger-admin-truststore.jks

Configure HBase Ranger plugin

HBase->Configs->Advanced->Advanced ranger-hbase-policymgr-ssl

Property Sample value
xasecure.policymgr.clientssl.keystore /etc/hbase/conf/ranger-plugin-keystore.jks
xasecure.policymgr.clientssl.keystore.password secret
xasecure.policymgr.clientssl.truststore /etc/hbase/conf/ranger-plugin-truststore.jks
xasecure.policymgr.clientssl.truststore.password secret

Restart HBase and Ranger

Ranger Admin UI-> Access Manager -> <cluster_name>_hbase
Provide DN of Ranger HBase plugin certificate to Common Name for Certificate field.

Verify

Audit-> Plugins

_hbase should declare HTTP Response Code 200 with fresh date.

Test

As sb user, try to create HBase table

hbase shell
create 'emp', 'personal data', 'professional data'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'sb' (action=create)

Open Ranger UI Console and grant temporarily sb permission to create emp table

Try again after a minute.

create 'emp', 'personal data', 'professional data'

Created table emp
Took 4.0250 seconds                                                                                                                                                                            
⚠️ **GitHub.com Fallback** ⚠️