This configuration example includes support for HFile v3, ACLs, Visibility Labels, and transparent encryption of data at rest and the WAL. All options have been discussed separately in the sections above.
Example 8.16. Example Security Settings in hbase-site.xml
<!-- HFile v3 Support --> <property> <name>hfile.format.version</name> <value>3</value> </property> <!-- HBase Superuser --> <property> <name>hbase.superuser</name> <value>hbase, admin</value> </property> <!-- Coprocessors for ACLs and Visibility Tags --> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController, org.apache.hadoop.hbase.security.token.TokenProvider</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController</value> </property> <property> <name>hbase.coprocessor.regionserver.classes</name> <value>org.apache.hadoop/hbase.security.access.AccessController, org.apache.hadoop.hbase.security.access.VisibilityController</value> </property> <!-- Executable ACL for Coprocessor Endpoints --> <property> <name>hbase.security.exec.permission.checks</name> <value>true</value> </property> <!-- Whether a user needs authorization for a visibility tag to set it on a cell --> <property> <name>hbase.security.visibility.mutations.checkauth</name> <value>false</value> </property> <!-- Secure RPC Transport --> <property> <name>hbase.rpc.protection</name> <value>auth-conf</value> </property> <!-- Transparent Encryption --> <property> <name>hbase.crypto.keyprovider</name> <value>org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider</value> </property> <property> <name>hbase.crypto.keyprovider.parameters</name> <value>jceks:///path/to/hbase/conf/hbase.jks?password=***</value> </property> <property> <name>hbase.crypto.master.key.name</name> <value>hbase</value> </property> <!-- WAL Encryption --> <property> <name>hbase.regionserver.hlog.reader.impl</name> <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader</value> </property> <property> <name>hbase.regionserver.hlog.writer.impl</name> <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter</value> </property> <property> <name>hbase.regionserver.wal.encryption</name> <value>true</value> </property> <!-- For key rotation --> <property> <name>hbase.crypto.master.alternate.key.name</name> <value>hbase.old</value> </property> <!-- Secure Bulk Load --> <property> <name>hbase.bulkload.staging.dir</name> <value>/tmp/hbase-staging</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider, org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value> </property>
Example 8.17. Example Group Mapper in Hadoop core-site.xml
Adjust these settings to suit your environment.
<property> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.LdapGroupsMapping</value> </property> <property> <name>hadoop.security.group.mapping.ldap.url</name> <value>ldap://server</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.user</name> <value>Administrator@example-ad.local</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.password</name> <value>****</value> <!-- Replace with the actual password --> </property> <property> <name>hadoop.security.group.mapping.ldap.base</name> <value>dc=example-ad,dc=local</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.user</name> <value>(&(objectClass=user)(sAMAccountName={0}))</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.group</name> <value>(objectClass=group)</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.member</name> <value>member</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name> <value>cn</value> </property>