Security

Authentication

Currently the only supported authentication mechanism is Kerberos, which is disabled by default. For Kerberos to work a Kerberos KDC is needed, which the users need to provide. The secret-operator documentation states which kind of Kerberos servers are supported and how they can be configured.

1. Prepare Kerberos server

To configure HDFS to use Kerberos you first need to collect information about your Kerberos server, e.g. hostname and port. Additionally, you need a service-user which the secret-operator uses to create principals for the HDFS services.

2. Create Kerberos SecretClass

Afterwards you need to enter all the needed information into a SecretClass, as described in secret-operator documentation. The following guide assumes you have named your SecretClass kerberos.

3. Configure HDFS to use SecretClass

The next step is to configure your HdfsCluster to use the newly created SecretClass. Please follow the HDFS security guide to set up and test this. Please watch out to use the SecretClass named kerberos.

4. Configure HBase to use SecretClass

The last step is to configure the same SecretClass for HBase, which is done similar to HDFS.

HDFS and HBase need to use the same SecretClass (or at least use the same underlying Kerberos server). 
spec:
  clusterConfig:
    authentication:
      tlsSecretClass: tls # Optional, defaults to "tls"
      kerberos:
        secretClass: kerberos # Put your SecretClass name in here

The kerberos.secretClass is used to give HBase the possibility to request keytabs from the secret-operator.

The tlsSecretClass is needed to request TLS certificates, used e.g. for the Web UIs.

5. Verify that Kerberos authentication is required

Shell into the hbase-master-default-0 Pod and execute the following commands:

  1. kdestroy (just in case you run kinit in the Pod already in the past)

  2. echo 'list;' | bin/hbase shell

The last command should fail with the error message ERROR: Found no valid authentication method from options. You can also check the RestServer by calling curl -v --insecure https://hbase-restserver-default:8081, which should return HTTP ERROR 401 Authentication required.

6. Access HBase

In case you want to access your HBase it is recommended to start up a client Pod that connects to HBase, rather than shelling into the master. We have an integration test for this exact purpose, where you can see how to connect and get a valid keytab.

Authorization

Together with Kerberos authorization is enabled. You need to explicitly grant table permissions to all users. E.g. the integration tests run grant 'testuser', 'C'; to grant the testuser the permission to create tables.

Wire encryption

In case Kerberos is enabled, Privacy mode is used for best security. Wire encryption without Kerberos as well as other wire encryption modes are not supported.