HBase UI - stanislawbartkowski/hdpwiredencryption GitHub Wiki
Enabling secure HTTP for HBase UI is simple and straightforward. Details:
The secure keystore can be created as a self-signed or CA Certificate. The keystore should be created on HBase Master node. In case of HA enabled, the same copy of keystore and trustore should be located on both nodes at the same directory.
Create self-signed:
cd /etc/hbase/conf
keytool -genkey -alias hbase -keyalg RSA -keysize 1024 -keystore keystore-ui.jks
chown hbase:hadoop keystore-ui.jks
chmod 400 keystore-ui.jks
Make sure that password is correct.
keytool -list -keystore keystore-ui.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
cert, 2020-10-05, trustedCertEntry,
Certificate fingerprint (SHA1): 9E:01:C8:73:41:17:6E:7E:50:E9:CE:CB:F8:CA:23:03:FC:4C:25:FC
HBase->Configs->Advanced
Custom hbase-site
Parameter | Value |
---|---|
hbase.ssl.enabled | true |
hadoop.ssl.enabled | true |
ssl.server.keystore.keypassword | No necessary is entry is not protected by password |
ssl.server.keystore.password | secret |
ssl.server.keystore.location | /etc/hbase/conf/keystore-ui.jks |
Restart HBase
Launch UI related to HBase and make sure that it opens as secure HTTP.
Very similar steps like HDFS plugin by tailored for HBase
On HBase Master node, prepare Ranger plugin keystore
cd /etc/hbase/conf
Important: keep in mind CN name, do not use FQDN hostname, the CN name should be different than all other plugins CN names.
keytool -genkey -keyalg RSA -alias rangerHBaseAgent -keystore ranger-plugin-keystore.jks -validity 360 -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: rangerhbaseplugin
What is the name of your organizational unit?
[Unknown]: AA
What is the name of your organization?
[Unknown]: BB
Create HBase Ranger plugin truststore, import Ranger Admin certificate
keytool -import -file /root/ranger-admin-trust.cer -alias rangeradmintrust -keystore ranger-plugin-truststore.jks
Secure stores
chown hbase: *.jks
chmod 400 *jks
Distribute both keystores to all nodes where HBase Region servers are installed. Pay attention to assign proper owner and modes after copying is completed, can be lost by scp command.
Export HBase plugin certificate
keytool -export -keystore ranger-plugin-keystore.jks -alias rangerHBaseAgent -file ranger-hbaseAgent-trust.cer
On Ranger Admin node, import certificate into Ranger Admin trustore, use a different alias name.
cd /etc/ranger/admin/conf
keytool -import -file /root/ranger-hbaseAgent-trust.cer -alias rangerHBaseAgentTrust -keystore ranger-admin-truststore.jks
HBase->Configs->Advanced->Advanced ranger-hbase-policymgr-ssl
Property | Sample value |
---|---|
xasecure.policymgr.clientssl.keystore | /etc/hbase/conf/ranger-plugin-keystore.jks |
xasecure.policymgr.clientssl.keystore.password | secret |
xasecure.policymgr.clientssl.truststore | /etc/hbase/conf/ranger-plugin-truststore.jks |
xasecure.policymgr.clientssl.truststore.password | secret |
Restart HBase and Ranger
Ranger Admin UI-> Access Manager -> <cluster_name>_hbase
Provide DN of Ranger HBase plugin certificate to Common Name for Certificate field.
Audit-> Plugins
_hbase should declare HTTP Response Code 200 with fresh date.
As sb user, try to create HBase table
hbase shell
create 'emp', 'personal data', 'professional data'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'sb' (action=create)
Open Ranger UI Console and grant temporarily sb permission to create emp table
Try again after a minute.
create 'emp', 'personal data', 'professional data'
Created table emp
Took 4.0250 seconds