SlideShare une entreprise Scribd logo

HBaseConEast2016: Practical Kerberos with Apache HBase

Télécharger en tant que PPTX, PDF
M
Michael Stack

Josh Elser of HortonWorks at HBaseConEast2016: http://www.meetup.com/HBase-NYC/events/233024937/

Ingénierie
1  sur  32
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Practical Kerberos with Apache HBase Josh Elser HBaseCon East 2016/09/26
© Hortonworks Inc. 2011 – 2016. All Rights Reserved2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Engineer at Hortonworks, Member of the Apache Software Foundation Top-Level Projects • Apache Accumulo®️ • Apache CalciteTM • Apache CommonsTM • Apache HBase®️ • Apache PhoenixTM ASF Incubator • Apache FluoTM • Apache GossipTM • Apache PirkTM • Apache RyaTM • Apache SliderTM These names are trademarks or registered trademarks of the Apache Software Foundation.
© Hortonworks Inc. 2011 – 2016. All Rights Reserved3 © Hortonworks Inc. 2011 – 2016. All Rights Reserved … but today we’re talking about Kerberos! - “The Madness beyond the Gate” [1] - An exploration in black magic and voodoo - The word most accompanied with expletives 1: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/kerberos_the_madness.ht ml
© Hortonworks Inc. 2011 – 2016. All Rights Reserved4 © Hortonworks Inc. 2011 – 2016. All Rights Reserved What this talk won’t be... 3dom via https://www.flickr.com/photos/steve_l/6042206137/in/album-72157629289333057/, CC-BY-NC
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢ “Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography” [1] ⬢ MIT Kerberos is one implementation – Heimdal is another – We’re talking about MIT Kerberos ⬢ Authentication over a computer network – Not authorization – No data privacy 1: http://web.mit.edu/kerberos/
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢ Key Distribution Center (KDC) – Centralized server which grants Kerberos “tickets” – The “trusted third party” of the security model ⬢ Users are defined by a ”principal” – primary[/instance]@REALM – A human: elserj@HORTONWORKS.COM – A service: hbase/regionserver1.hbase.hwx.com@HORTONWORKS.COM – elserj@HORTONWORKS.COM is unique with elserj/login.hbase.hwx.com@HORTONWORKS.COM
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢Principals are identified by a secret shared with the KDC – A normal password – A keytab file (non-plaintext “password”, suitable for non-interactive logins) ⬢ Kerberos Ticket obtained from the KDC by using your secret – Tickets expire – Tickets are renewable* Client Server KDC Password/Keytab Keytab Authenticated RPC
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Interacting with Kerberos ⬢ kadmin (or kadmin.local) – Command-line interface for administrators to create, modify, delete principals. ⬢ kinit – A command-line tool to obtain a ticket for a principal – Places the ticket in a file on disk in a well-known location called a “ticket cache” • Default location on Linux: /tmp/krb5cc_$(id –u `whoami`) – The ticket cache is read-write protected for the user only (e.g. chmod 600) – Can obtain a ticket for any principal using a password or keytab – Ticket caches can hold multiple tickets ⬢ klist – Lists the contents of the current user’s ticket cache – Can list the keys in a keytab file
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Benefits of Kerberos ⬢ Building a secure, network-based authentication system is very hard ⬢ Functions on non-trusted networks – Security for multi-tenant systems, protect against malicious and non-malicious users ⬢ Leveraged across the Apache Hadoop “Stack” ⬢ Widely integrated externally – Operating systems and programming languages ⬢ Can integrate with Active Directory Apache Hadoop is a registered trademark of the Apache Software Foundation
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Promises It’s simple, you just get your Kerberos ticket, use HBase and it knows who you are! [elserj@localhost] $ kinit elserj Password for elserj@HORTONWORKS.COM: [elserj@localhost] $ hbase com.hortonworks.hbase.MyMapReduceJob /user/elserj/my-big-data.txt … Success! [elserj@localhost] $
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Reality [elserj@localhost] $ kinit elserj Password for elserj@HORTONWORKS.COM: [elserj@localhost] $ hbase com.hortonworks.hbase.MyMapReduceJob /big- data.txt ... 2016-09-26 14:03:11,549 FATAL [main] ipc.AbstractRpcClient (RpcClientImpl.java:run(709)) – SASL authentication failed. The most likely cause is missing or invalid credentials. Consider ‘kinit’. javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] [elserj@localhost] $ (╯°□°)╯︵ ┻━┻
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Ok, let’s figure out what went wrong? What should I search for? RPC SASL GSSAPI JGSSUGI JAAS KDC JCE Token Ticket Voldemort “Bars near me open now” Cthulhu Kerberos
© Hortonworks Inc. 2011 – 2016. All Rights Reserved How JVM-based applications can obtain Kerberos tickets ⬢ Extract a ticket from the local ticket cache for a principal – hbase shell or hdfs dfs –ls / ⬢ UserGroupInformation Hadoop API (UGI) – UserGroupInformation.loginUserFromKeytab(String, String) – UserGroupInformation.loginUserFromKeytabAndReturnUGI(String, String) ⬢ javax.security.auth.Subject with Krb5LoginModule – The APIs which UserGroupInformation uses under the covers ⬢ Automatic login via JAAS – “Java Authentication and Authorization Service”, implementation of PAM (RFC 86.0) – Configuration file, specified via Java system properties. – Each “block” uses an identifier to denote login details for a specific system
© Hortonworks Inc. 2011 – 2016. All Rights Reserved HBase Service Logins ⬢ HBase services are daemons; they always use a keytab to login ⬢ Principal and keytab are specified in hbase-site.xml for each service ⬢ A JAAS configuration file is also provided for Apache ZooKeeper client authentication – Necessary for authenticated ZooKeeper access (HBase-only ACLs) ⬢ HBase services automatically perform logins/renewals as necessary – Anyone who tells you that they need to ”kinit for HBase to work” doesn’t know what they’re talking about. Apache ZooKeeper is a trademark of the Apache Software Foundation
© Hortonworks Inc. 2011 – 2016. All Rights Reserved HBase Clients ⬢ HBase clients will use a variety of mechanism for authentication – Interactive use: ticket-cache – Automated tasks/Daemons: UGI with keytab ⬢ Reminder: Kerberos tickets expire – Clients must implement renewal logic – UGI provides an API to do this ⬢ Typically, UGI is the way to go –Concise and well-understood
© Hortonworks Inc. 2011 – 2016. All Rights Reserved On using UserGroupInformation correctly ⬢ We mentioned two different method calls earlier for logins – void loginUserFromKeytab(String, String) – UserGroupInformation loginUserFromKeytabAndReturnUGI(String, String) ⬢ loginUserFromKeytab is “global” – Syntactic-sugar to make your life easier – Works great when the application only acts as one user ⬢ loginUserFromKeytabAndReturnUGI is “localized” – Requires invoking “doAs(...)” – Allows for concurrent execution as different users in one JVM
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Enter SASL: authentication framework over a transport ⬢ SASL is a framework for building RPC systems with authentication ⬢ “Simple Authentication and Security Layer” RFC-4422 – “A framework for authentication and data security in Internet protocols” [1] – “decouples authentication mechanisms from application protocols”[1] • Generic Security Services Application Program Interface (GSSAPI) speaks Kerberos • DIGEST-MD5 an HTTP Digest authentication-like method (delegation tokens) – Data security aka Quality of Protection (QoP) • auth: Authentication only (default) • auth-int: Previous, and integrity check of message content • auth-conf: Previous, and encryption of message content [1] https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Trust on an untrusted network ⬢ A Kerberos ticket implies a valid identity, not necessarily the identity you wanted ⬢ Kerberos relies on accurate/consistent DNS as the basis for a secure RPC model – Secure your DNS as much as your KDC ⬢ Recall the service principal from earlier – hbase/regionserver1.hbase.hwx.com@HORTONWORKS.COM ⬢ The instance must be a fully-qualified domain name ⬢ Clients need to know primary and instance must match DNS – “Caused by: KrbException: Identifier doesn't match expected value (906)” – “error Message is Server not found in Kerberos database”
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Trust on an untrusted network Client Trusted ServiceGood DNS Rogue Service Bad DNS service/svc1.hwx.com@HORTONWORKS.CO M service/svc18.hwx.com@HORTONWORKS.CO M Sends RPC “service” at svc1.hwx.com Without enforcement of DNS naming via SASL, a client could be maliciously sent to a rogue service without the client realizing it happened.
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Harping on DNS ⬢ DNS must be correct, consistent, and secure ⬢ Hostnames are advertised for discovery – Also benefits multi-homed networks ⬢ Forward and Reverse DNS mappings must be accurate on every node – `nslookup regionserver1.hbase.hwx.com` returns 10.0.0.1 – `nslookup 10.0.0.1` returns regionserver1.hbase.hwx.com ⬢ Check /etc/resolv.conf for quick troubleshooting
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Recap: Kerberos authentication for HBase RPCs ⬢ Client and Server both obtain Kerberos ticket – Password or Keytab via UGI/JAAS/Ticket-Cache – Tickets must be renewed before they expire ⬢ SASL is the framework which HBase leverages for authenticated RPCs – GSSAPI as the SASL mechanism which can “speak” Kerberos – QoP defines the security of the RPC data (minimum of authentication) ⬢ Fully-qualified hostnames everywhere – Forward and reverse DNS must be consistent across all clients and servers
© Hortonworks Inc. 2011 – 2016. All Rights Reserved The edge cases ⬢ Exceptions to how authentication works – YARN jobs – HBase REST and Thrift services ⬢ Not the traditional client/server model Kerberos was designed to fit – 100-1000’s of tasks concurrently requiring a ticket – Talk to HBase as a user without having that user’s credentials ⬢ Two approaches introduced to address these problems
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Delegation Tokens ⬢ Earlier mentioned, SASL supports a variety of mechanisms – DIGEST-MD5 allows a digest-token style authentication scheme ⬢ Delegation token is a temporary ”password” which can authenticate a user – Slight compromise of security for performance ⬢ Circumvents authentication to the KDC, instead handled by HDFS or HBase ⬢ Automatically obtained during job submission and added to the job cache – We must rely on YARN to do the right thing If you thought Kerberos documentation for Hadoop/HBase was sparse…
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Delegation Tokens Client HBase Master KDC Password/Keytab Keytab Obtain DT YARN Containers HBase RegionServers YARN ResourceManager Client Ticket and DT YARN Ticket and DT DT
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Proxy Users ⬢ A proxy is some intermediate service that provides access to a backend service – HBase Thrift and REST services ⬢ Each of these services have its own Kerberos principal and keytab used to communicate with HBase ⬢ These services are accessing HBase on behalf of another user. – The ticket is for the service, but we want it to appear as if it is elserj@HORTONWORKS.COM ⬢ ProxyUsers refer to a set of configuration values in Hadoop (core-site.xml) – hadoop.proxyuser.SERVICE.{hosts,groups,users} ⬢ Configuration-based approach to allow services to “pretend” to be a user without actually having that user’s credentials
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Proxy Users Client KDC Password/Keytab HBaseProxy Server Client Ticket Server Ticket (Client principal) Keytab Keytab Proxy Servers: HBase REST, HBase Thrift, Phoenix Query Server, etc
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Kerberos authentication for HTTP-based services (SPNEGO) ⬢ The need to protect services using HTTP –Don’t want to reuse SASL ⬢ Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) RFC-4178 – The Negotiate HTTP header – Built into cURL (--negotiate), most Java-based HTTP libraries, and web-browsers ⬢ Web-browsers often need special configuration to properly authenticate. – Firefox: network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris – Chrome: --auth-server-whitelist="*.domain" --auth-negotiate-delegate-whitelist="*.domain"
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Troubleshooting: Prerequisites ⬢ Ensure a recent version of your JVM and Hadoop – Bugs exist in UserGroupInformation for certain JVMs (vendor+version) ⬢ Ensure that the unlimited strength Java Cryptographic Extensions (JCE) are installed on all nodes in the cluster – And that clients/servers are using that JVM installation! – Required for AES-256 encryption type on Kerberos keys (which you will likely get by default) ⬢ Ensure that you have DEBUG logging enabled for HBase services – Potentially, org.apache.hadoop.hbase.ipc=DEBUG is sufficient ⬢ Set the sun.security.krb5.debug system property to true in your application – Or sun.security.spnego.debug for debugging SPNEGO
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Troubleshooting: Tips ⬢ Remember that DNS is the cornerstone – When reading logs, make sure that you see the expected fully-qualified domain names – Do not assume that DNS is correct: verify it. ⬢ Determine if an RPC issue is authentication or authorization – If you see an HBase-level error, it is likely an authorization issue – If you only see transport/connection-setup errors, it is likely an authentication issue ⬢ Remember that tickets expire – Cross-reference ticket lifetimes with application logs ⬢ Read the logs. Actually read them. – A vast majority of errors can be solved with appropriate logging JVM-debugging
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Reference Material ⬢ “Hadoop and Kerberos: The Madness beyond the Gate” – https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/index.html ⬢ Oracle documentation – http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html – https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5 LoginModule.html ⬢ MIT Kerberos documentation – http://web.mit.edu/kerberos/ ⬢ “Explain like I’m 5: Kerberos” (great low-level Kerberos write-up) – http://www.roguelynn.com/words/explain-like-im-5-kerberos/ ⬢ KDiag: “Kerberos diagnostics for Hadoop” –Apache Hadoop >=2.8 or https://github.com/steveloughran/kdiag
© Hortonworks Inc. 2011 – 2016. All Rights Reserved Developing with Kerberos ⬢ Apache Directory’s Kerby project – Great for Kerberos authentication without Hadoop in the picture – http://directory.apache.org/kerby/downloads.html ⬢ Apache Hadoop’s MiniKDC – Built on top of Apache Directory – https://github.com/apache/hadoop/blob/release-2.7.3-RC2/hadoop-common-project/hadoop- minikdc/src/main/java/org/apache/hadoop/minikdc/MiniKdc.java ⬢ Support in HDFS, YARN, and HBase MiniCluster classes too No excuse to not write tests! Apache Directory is a trademark of the Apache Software Foundation
© Hortonworks Inc. 2011 – 2016. All Rights Reserved© Hortonworks Inc. 2011 – 2016. All Rights Reserved Thanks! Email: elserj@apache.org Twitter: @josh_elser 3dom via https://www.flickr.com/photos/steve_l/6674480535/in/album-72157629289333057/, CC-BY-NC Thanks to those who gave feedback along the way: Brandon Wilson, Bryan Bende, Michael Stack, Randy Gelhausen, Steve Loughran.

Recommandé

Flume and HBase
Flume and HBase Flume and HBase
Flume and HBase Alexander Alten
 
Apache Traffic Server & Lua
Apache Traffic Server & LuaApache Traffic Server & Lua
Apache Traffic Server & LuaKit Chan
 
Apache Camel: Jetty Component With Example
Apache Camel: Jetty Component With ExampleApache Camel: Jetty Component With Example
Apache Camel: Jetty Component With ExampleAmit Aggarwal
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
Data Analytics Service Company and Its Ruby Usage
Data Analytics Service Company and Its Ruby UsageData Analytics Service Company and Its Ruby Usage
Data Analytics Service Company and Its Ruby UsageSATOSHI TAGOMORI
 
Herd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementHerd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementFrederik Engelen
 
Using Morphlines for On-the-Fly ETL
Using Morphlines for On-the-Fly ETLUsing Morphlines for On-the-Fly ETL
Using Morphlines for On-the-Fly ETLCloudera, Inc.
 
Hadoop on osx
Hadoop on osxHadoop on osx
Hadoop on osxDevopam Mittra
 

Recommandé

Flume and HBase
Flume and HBase Flume and HBase
Flume and HBase Alexander Alten
 
Apache Traffic Server & Lua
Apache Traffic Server & LuaApache Traffic Server & Lua
Apache Traffic Server & LuaKit Chan
 
Apache Camel: Jetty Component With Example
Apache Camel: Jetty Component With ExampleApache Camel: Jetty Component With Example
Apache Camel: Jetty Component With ExampleAmit Aggarwal
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
Data Analytics Service Company and Its Ruby Usage
Data Analytics Service Company and Its Ruby UsageData Analytics Service Company and Its Ruby Usage
Data Analytics Service Company and Its Ruby UsageSATOSHI TAGOMORI
 
Herd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementHerd your chickens: Ansible for DB2 configuration management
Herd your chickens: Ansible for DB2 configuration managementFrederik Engelen
 
Using Morphlines for On-the-Fly ETL
Using Morphlines for On-the-Fly ETLUsing Morphlines for On-the-Fly ETL
Using Morphlines for On-the-Fly ETLCloudera, Inc.
 
Hadoop on osx
Hadoop on osxHadoop on osx
Hadoop on osxDevopam Mittra
 
Performance all teh things
Performance all teh thingsPerformance all teh things
Performance all teh thingsMarcus Deglos
 
Fluentd and WebHDFS
Fluentd and WebHDFSFluentd and WebHDFS
Fluentd and WebHDFSSATOSHI TAGOMORI
 
HBase Coprocessor Introduction
HBase Coprocessor IntroductionHBase Coprocessor Introduction
HBase Coprocessor IntroductionSchubert Zhang
 
HBase replication
HBase replicationHBase replication
HBase replicationwchevreuil
 
Kafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced ProducersKafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced ProducersJean-Paul Azar
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesOrtus Solutions, Corp
 
Elasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep diveElasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep diveSematext Group, Inc.
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersSATOSHI TAGOMORI
 
pgWALSync
pgWALSyncpgWALSync
pgWALSyncRumman Iftekhar
 
Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2Marcus Deglos
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법Open Source Consulting
 
Fluentd meetup in japan
Fluentd meetup in japanFluentd meetup in japan
Fluentd meetup in japanTreasure Data, Inc.
 
slides (PPT)
slides (PPT)slides (PPT)
slides (PPT)webhostingguy
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more DockerSarah Novotny
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2Luis Cabaceira
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
I can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and SpringI can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and SpringJoe Kutner
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
Boost your website by running PHP on Nginx
Boost your website by running PHP on NginxBoost your website by running PHP on Nginx
Boost your website by running PHP on NginxHarald Zeitlhofer
 
Practical Kerberos with Apache HBase
Practical Kerberos with Apache HBasePractical Kerberos with Apache HBase
Practical Kerberos with Apache HBaseJosh Elser
 
Practical Kerberos
Practical KerberosPractical Kerberos
Practical KerberosAccumulo Summit
 
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!Pardeep Kumar Mishra (Big Data / Hadoop Consultant)
 

Contenu connexe

Tendances

Performance all teh things
Performance all teh thingsPerformance all teh things
Performance all teh thingsMarcus Deglos
 
HBase Coprocessor Introduction
HBase Coprocessor IntroductionHBase Coprocessor Introduction
HBase Coprocessor IntroductionSchubert Zhang
 
HBase replication
HBase replicationHBase replication
HBase replicationwchevreuil
 
Kafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced ProducersKafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced ProducersJean-Paul Azar
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesOrtus Solutions, Corp
 
Elasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep diveElasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep diveSematext Group, Inc.
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersSATOSHI TAGOMORI
 
Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2Marcus Deglos
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법Open Source Consulting
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more DockerSarah Novotny
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleKnoldus Inc.
 
I can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and SpringI can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and SpringJoe Kutner
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
Boost your website by running PHP on Nginx
Boost your website by running PHP on NginxBoost your website by running PHP on Nginx
Boost your website by running PHP on NginxHarald Zeitlhofer
 

Tendances (19)

Performance all teh things
Performance all teh thingsPerformance all teh things
Performance all teh things
 
Fluentd and WebHDFS
Fluentd and WebHDFSFluentd and WebHDFS
Fluentd and WebHDFS
 
HBase Coprocessor Introduction
HBase Coprocessor IntroductionHBase Coprocessor Introduction
HBase Coprocessor Introduction
 
HBase replication
HBase replicationHBase replication
HBase replication
 
Kafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced ProducersKafka Tutorial: Advanced Producers
Kafka Tutorial: Advanced Producers
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
 
Elasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep diveElasticsearch for Logs & Metrics - a deep dive
Elasticsearch for Logs & Metrics - a deep dive
 
The Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and ContainersThe Patterns of Distributed Logging and Containers
The Patterns of Distributed Logging and Containers
 
pgWALSync
pgWALSyncpgWALSync
pgWALSync
 
Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2Drupal, varnish, esi - Toulouse November 2
Drupal, varnish, esi - Toulouse November 2
 
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법[오픈소스컨설팅] EFK Stack 소개와 설치 방법
[오픈소스컨설팅] EFK Stack 소개와 설치 방법
 
Fluentd meetup in japan
Fluentd meetup in japanFluentd meetup in japan
Fluentd meetup in japan
 
slides (PPT)
slides (PPT)slides (PPT)
slides (PPT)
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more Docker
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
I can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and SpringI can't believe it's not a queue: Kafka and Spring
I can't believe it's not a queue: Kafka and Spring
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
Boost your website by running PHP on Nginx
Boost your website by running PHP on NginxBoost your website by running PHP on Nginx
Boost your website by running PHP on Nginx
 

Similaire à HBaseConEast2016: Practical Kerberos with Apache HBase

Practical Kerberos with Apache HBase
Practical Kerberos with Apache HBasePractical Kerberos with Apache HBase
Practical Kerberos with Apache HBaseJosh Elser
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastDataWorks Summit
 
De-Mystifying the Apache Phoenix QueryServer
De-Mystifying the Apache Phoenix QueryServerDe-Mystifying the Apache Phoenix QueryServer
De-Mystifying the Apache Phoenix QueryServerJosh Elser
 
Apache Spark and Object Stores
Apache Spark and Object StoresApache Spark and Object Stores
Apache Spark and Object StoresSteve Loughran
 
Apache Phoenix Query Server PhoenixCon2016
Apache Phoenix Query Server PhoenixCon2016Apache Phoenix Query Server PhoenixCon2016
Apache Phoenix Query Server PhoenixCon2016Josh Elser
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateSteve Loughran
 
Apache Phoenix Query Server
Apache Phoenix Query ServerApache Phoenix Query Server
Apache Phoenix Query ServerJosh Elser
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark ApplicationsCloudera, Inc.
 
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSecuring Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSpark Summit
 
Introduction and HDInsight best practices
Introduction and HDInsight best practicesIntroduction and HDInsight best practices
Introduction and HDInsight best practicesAshish Thapliyal
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
The Open Source and Cloud Part of Oracle Big Data Cloud Service for Beginners
The Open Source and Cloud Part of Oracle Big Data Cloud Service for BeginnersThe Open Source and Cloud Part of Oracle Big Data Cloud Service for Beginners
The Open Source and Cloud Part of Oracle Big Data Cloud Service for BeginnersEdelweiss Kammermann
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionSteve Loughran
 
Curb your insecurity with HDP - Tips for a Secure Cluster
Curb your insecurity with HDP - Tips for a Secure ClusterCurb your insecurity with HDP - Tips for a Secure Cluster
Curb your insecurity with HDP - Tips for a Secure Clusterahortonworks
 
Apache Spark and Object Stores —for London Spark User Group
Apache Spark and Object Stores —for London Spark User GroupApache Spark and Object Stores —for London Spark User Group
Apache Spark and Object Stores —for London Spark User GroupSteve Loughran
 

Similaire à HBaseConEast2016: Practical Kerberos with Apache HBase (20)

Practical Kerberos with Apache HBase
Practical Kerberos with Apache HBasePractical Kerberos with Apache HBase
Practical Kerberos with Apache HBase
 
Practical Kerberos
Practical KerberosPractical Kerberos
Practical Kerberos
 
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
 
Curb your insecurity with HDP
Curb your insecurity with HDPCurb your insecurity with HDP
Curb your insecurity with HDP
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
 
Running Apache Spark & Apache Zeppelin in Production
Running Apache Spark & Apache Zeppelin in ProductionRunning Apache Spark & Apache Zeppelin in Production
Running Apache Spark & Apache Zeppelin in Production
 
De-Mystifying the Apache Phoenix QueryServer
De-Mystifying the Apache Phoenix QueryServerDe-Mystifying the Apache Phoenix QueryServer
De-Mystifying the Apache Phoenix QueryServer
 
Apache Spark and Object Stores
Apache Spark and Object StoresApache Spark and Object Stores
Apache Spark and Object Stores
 
Apache Phoenix Query Server PhoenixCon2016
Apache Phoenix Query Server PhoenixCon2016Apache Phoenix Query Server PhoenixCon2016
Apache Phoenix Query Server PhoenixCon2016
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the Gate
 
Securing Spark Applications
Securing Spark ApplicationsSecuring Spark Applications
Securing Spark Applications
 
Apache Phoenix Query Server
Apache Phoenix Query ServerApache Phoenix Query Server
Apache Phoenix Query Server
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark Applications
 
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo VanzinSecuring Spark Applications by Kostas Sakellis and Marcelo Vanzin
Securing Spark Applications by Kostas Sakellis and Marcelo Vanzin
 
Introduction and HDInsight best practices
Introduction and HDInsight best practicesIntroduction and HDInsight best practices
Introduction and HDInsight best practices
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
The Open Source and Cloud Part of Oracle Big Data Cloud Service for Beginners
The Open Source and Cloud Part of Oracle Big Data Cloud Service for BeginnersThe Open Source and Cloud Part of Oracle Big Data Cloud Service for Beginners
The Open Source and Cloud Part of Oracle Big Data Cloud Service for Beginners
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
 
Curb your insecurity with HDP - Tips for a Secure Cluster
Curb your insecurity with HDP - Tips for a Secure ClusterCurb your insecurity with HDP - Tips for a Secure Cluster
Curb your insecurity with HDP - Tips for a Secure Cluster
 
Apache Spark and Object Stores —for London Spark User Group
Apache Spark and Object Stores —for London Spark User GroupApache Spark and Object Stores —for London Spark User Group
Apache Spark and Object Stores —for London Spark User Group
 

Plus de Michael Stack

hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloud
hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloudhbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloud
hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on CloudMichael Stack
 
hbaseconasia2019 Recent work on HBase at Pinterest
hbaseconasia2019 Recent work on HBase at Pinteresthbaseconasia2019 Recent work on HBase at Pinterest
hbaseconasia2019 Recent work on HBase at PinterestMichael Stack
 
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltd
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltdhbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltd
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., LtdMichael Stack
 
hbaseconasia2019 HBase at Didi
hbaseconasia2019 HBase at Didihbaseconasia2019 HBase at Didi
hbaseconasia2019 HBase at DidiMichael Stack
 
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...Michael Stack
 
hbaseconasia2019 HBase at Tencent
hbaseconasia2019 HBase at Tencenthbaseconasia2019 HBase at Tencent
hbaseconasia2019 HBase at TencentMichael Stack
 
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...Michael Stack
 
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...Michael Stack
 
hbaseconasia2019 Pharos as a Pluggable Secondary Index Component
hbaseconasia2019 Pharos as a Pluggable Secondary Index Componenthbaseconasia2019 Pharos as a Pluggable Secondary Index Component
hbaseconasia2019 Pharos as a Pluggable Secondary Index ComponentMichael Stack
 
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibaba
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibabahbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibaba
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at AlibabaMichael Stack
 
hbaseconasia2019 OpenTSDB at Xiaomi
hbaseconasia2019 OpenTSDB at Xiaomihbaseconasia2019 OpenTSDB at Xiaomi
hbaseconasia2019 OpenTSDB at XiaomiMichael Stack
 
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Spark
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Sparkhbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Spark
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and SparkMichael Stack
 
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBase
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBasehbaseconasia2019 Test-suite for Automating Data-consistency checks on HBase
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBaseMichael Stack
 
hbaseconasia2019 Distributed Bitmap Index Solution
hbaseconasia2019 Distributed Bitmap Index Solutionhbaseconasia2019 Distributed Bitmap Index Solution
hbaseconasia2019 Distributed Bitmap Index SolutionMichael Stack
 
hbaseconasia2019 HBase Bucket Cache on Persistent Memory
hbaseconasia2019 HBase Bucket Cache on Persistent Memoryhbaseconasia2019 HBase Bucket Cache on Persistent Memory
hbaseconasia2019 HBase Bucket Cache on Persistent MemoryMichael Stack
 
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACL
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACLhbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACL
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACLMichael Stack
 
hbaseconasia2019 BDS: A data synchronization platform for HBase
hbaseconasia2019 BDS: A data synchronization platform for HBasehbaseconasia2019 BDS: A data synchronization platform for HBase
hbaseconasia2019 BDS: A data synchronization platform for HBaseMichael Stack
 
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...Michael Stack
 
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...Michael Stack
 
HBaseConAsia2019 Keynote
HBaseConAsia2019 KeynoteHBaseConAsia2019 Keynote
HBaseConAsia2019 KeynoteMichael Stack
 

Plus de Michael Stack (20)

hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloud
hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloudhbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloud
hbaseconasia2019 HBase Table Monitoring and Troubleshooting System on Cloud
 
hbaseconasia2019 Recent work on HBase at Pinterest
hbaseconasia2019 Recent work on HBase at Pinteresthbaseconasia2019 Recent work on HBase at Pinterest
hbaseconasia2019 Recent work on HBase at Pinterest
 
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltd
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltdhbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltd
hbaseconasia2019 Phoenix Practice in China Life Insurance Co., Ltd
 
hbaseconasia2019 HBase at Didi
hbaseconasia2019 HBase at Didihbaseconasia2019 HBase at Didi
hbaseconasia2019 HBase at Didi
 
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...
hbaseconasia2019 The Practice in trillion-level Video Storage and billion-lev...
 
hbaseconasia2019 HBase at Tencent
hbaseconasia2019 HBase at Tencenthbaseconasia2019 HBase at Tencent
hbaseconasia2019 HBase at Tencent
 
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...
hbaseconasia2019 Spatio temporal Data Management based on Ali-HBase Ganos and...
 
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...
hbaseconasia2019 Bridging the Gap between Big Data System Software Stack and ...
 
hbaseconasia2019 Pharos as a Pluggable Secondary Index Component
hbaseconasia2019 Pharos as a Pluggable Secondary Index Componenthbaseconasia2019 Pharos as a Pluggable Secondary Index Component
hbaseconasia2019 Pharos as a Pluggable Secondary Index Component
 
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibaba
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibabahbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibaba
hbaseconasia2019 Phoenix Improvements and Practices on Cloud HBase at Alibaba
 
hbaseconasia2019 OpenTSDB at Xiaomi
hbaseconasia2019 OpenTSDB at Xiaomihbaseconasia2019 OpenTSDB at Xiaomi
hbaseconasia2019 OpenTSDB at Xiaomi
 
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Spark
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Sparkhbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Spark
hbaseconasia2019 BigData NoSQL System: ApsaraDB, HBase and Spark
 
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBase
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBasehbaseconasia2019 Test-suite for Automating Data-consistency checks on HBase
hbaseconasia2019 Test-suite for Automating Data-consistency checks on HBase
 
hbaseconasia2019 Distributed Bitmap Index Solution
hbaseconasia2019 Distributed Bitmap Index Solutionhbaseconasia2019 Distributed Bitmap Index Solution
hbaseconasia2019 Distributed Bitmap Index Solution
 
hbaseconasia2019 HBase Bucket Cache on Persistent Memory
hbaseconasia2019 HBase Bucket Cache on Persistent Memoryhbaseconasia2019 HBase Bucket Cache on Persistent Memory
hbaseconasia2019 HBase Bucket Cache on Persistent Memory
 
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACL
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACLhbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACL
hbaseconasia2019 The Procedure v2 Implementation of WAL Splitting and ACL
 
hbaseconasia2019 BDS: A data synchronization platform for HBase
hbaseconasia2019 BDS: A data synchronization platform for HBasehbaseconasia2019 BDS: A data synchronization platform for HBase
hbaseconasia2019 BDS: A data synchronization platform for HBase
 
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
hbaseconasia2019 Further GC optimization for HBase 2.x: Reading HFileBlock in...
 
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...
hbaseconasia2019 HBCK2: Concepts, trends, and recipes for fixing issues in HB...
 
HBaseConAsia2019 Keynote
HBaseConAsia2019 KeynoteHBaseConAsia2019 Keynote
HBaseConAsia2019 Keynote
 

Dernier

APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 

Dernier (20)

APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 

HBaseConEast2016: Practical Kerberos with Apache HBase

  • 1. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Practical Kerberos with Apache HBase Josh Elser HBaseCon East 2016/09/26
  • 2. © Hortonworks Inc. 2011 – 2016. All Rights Reserved2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Engineer at Hortonworks, Member of the Apache Software Foundation Top-Level Projects • Apache Accumulo®️ • Apache CalciteTM • Apache CommonsTM • Apache HBase®️ • Apache PhoenixTM ASF Incubator • Apache FluoTM • Apache GossipTM • Apache PirkTM • Apache RyaTM • Apache SliderTM These names are trademarks or registered trademarks of the Apache Software Foundation.
  • 3. © Hortonworks Inc. 2011 – 2016. All Rights Reserved3 © Hortonworks Inc. 2011 – 2016. All Rights Reserved … but today we’re talking about Kerberos! - “The Madness beyond the Gate” [1] - An exploration in black magic and voodoo - The word most accompanied with expletives 1: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/kerberos_the_madness.ht ml
  • 4. © Hortonworks Inc. 2011 – 2016. All Rights Reserved4 © Hortonworks Inc. 2011 – 2016. All Rights Reserved What this talk won’t be... 3dom via https://www.flickr.com/photos/steve_l/6042206137/in/album-72157629289333057/, CC-BY-NC
  • 5. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢ “Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography” [1] ⬢ MIT Kerberos is one implementation – Heimdal is another – We’re talking about MIT Kerberos ⬢ Authentication over a computer network – Not authorization – No data privacy 1: http://web.mit.edu/kerberos/
  • 6. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢ Key Distribution Center (KDC) – Centralized server which grants Kerberos “tickets” – The “trusted third party” of the security model ⬢ Users are defined by a ”principal” – primary[/instance]@REALM – A human: elserj@HORTONWORKS.COM – A service: hbase/regionserver1.hbase.hwx.com@HORTONWORKS.COM – elserj@HORTONWORKS.COM is unique with elserj/login.hbase.hwx.com@HORTONWORKS.COM
  • 7. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Introduction to Kerberos ⬢Principals are identified by a secret shared with the KDC – A normal password – A keytab file (non-plaintext “password”, suitable for non-interactive logins) ⬢ Kerberos Ticket obtained from the KDC by using your secret – Tickets expire – Tickets are renewable* Client Server KDC Password/Keytab Keytab Authenticated RPC
  • 8. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Interacting with Kerberos ⬢ kadmin (or kadmin.local) – Command-line interface for administrators to create, modify, delete principals. ⬢ kinit – A command-line tool to obtain a ticket for a principal – Places the ticket in a file on disk in a well-known location called a “ticket cache” • Default location on Linux: /tmp/krb5cc_$(id –u `whoami`) – The ticket cache is read-write protected for the user only (e.g. chmod 600) – Can obtain a ticket for any principal using a password or keytab – Ticket caches can hold multiple tickets ⬢ klist – Lists the contents of the current user’s ticket cache – Can list the keys in a keytab file
  • 9. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Benefits of Kerberos ⬢ Building a secure, network-based authentication system is very hard ⬢ Functions on non-trusted networks – Security for multi-tenant systems, protect against malicious and non-malicious users ⬢ Leveraged across the Apache Hadoop “Stack” ⬢ Widely integrated externally – Operating systems and programming languages ⬢ Can integrate with Active Directory Apache Hadoop is a registered trademark of the Apache Software Foundation
  • 10. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Promises It’s simple, you just get your Kerberos ticket, use HBase and it knows who you are! [elserj@localhost] $ kinit elserj Password for elserj@HORTONWORKS.COM: [elserj@localhost] $ hbase com.hortonworks.hbase.MyMapReduceJob /user/elserj/my-big-data.txt … Success! [elserj@localhost] $
  • 11. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Reality [elserj@localhost] $ kinit elserj Password for elserj@HORTONWORKS.COM: [elserj@localhost] $ hbase com.hortonworks.hbase.MyMapReduceJob /big- data.txt ... 2016-09-26 14:03:11,549 FATAL [main] ipc.AbstractRpcClient (RpcClientImpl.java:run(709)) – SASL authentication failed. The most likely cause is missing or invalid credentials. Consider ‘kinit’. javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] [elserj@localhost] $ (╯°□°)╯︵ ┻━┻
  • 12. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Ok, let’s figure out what went wrong? What should I search for? RPC SASL GSSAPI JGSSUGI JAAS KDC JCE Token Ticket Voldemort “Bars near me open now” Cthulhu Kerberos
  • 13. © Hortonworks Inc. 2011 – 2016. All Rights Reserved How JVM-based applications can obtain Kerberos tickets ⬢ Extract a ticket from the local ticket cache for a principal – hbase shell or hdfs dfs –ls / ⬢ UserGroupInformation Hadoop API (UGI) – UserGroupInformation.loginUserFromKeytab(String, String) – UserGroupInformation.loginUserFromKeytabAndReturnUGI(String, String) ⬢ javax.security.auth.Subject with Krb5LoginModule – The APIs which UserGroupInformation uses under the covers ⬢ Automatic login via JAAS – “Java Authentication and Authorization Service”, implementation of PAM (RFC 86.0) – Configuration file, specified via Java system properties. – Each “block” uses an identifier to denote login details for a specific system
  • 14. © Hortonworks Inc. 2011 – 2016. All Rights Reserved HBase Service Logins ⬢ HBase services are daemons; they always use a keytab to login ⬢ Principal and keytab are specified in hbase-site.xml for each service ⬢ A JAAS configuration file is also provided for Apache ZooKeeper client authentication – Necessary for authenticated ZooKeeper access (HBase-only ACLs) ⬢ HBase services automatically perform logins/renewals as necessary – Anyone who tells you that they need to ”kinit for HBase to work” doesn’t know what they’re talking about. Apache ZooKeeper is a trademark of the Apache Software Foundation
  • 15. © Hortonworks Inc. 2011 – 2016. All Rights Reserved HBase Clients ⬢ HBase clients will use a variety of mechanism for authentication – Interactive use: ticket-cache – Automated tasks/Daemons: UGI with keytab ⬢ Reminder: Kerberos tickets expire – Clients must implement renewal logic – UGI provides an API to do this ⬢ Typically, UGI is the way to go –Concise and well-understood
  • 16. © Hortonworks Inc. 2011 – 2016. All Rights Reserved On using UserGroupInformation correctly ⬢ We mentioned two different method calls earlier for logins – void loginUserFromKeytab(String, String) – UserGroupInformation loginUserFromKeytabAndReturnUGI(String, String) ⬢ loginUserFromKeytab is “global” – Syntactic-sugar to make your life easier – Works great when the application only acts as one user ⬢ loginUserFromKeytabAndReturnUGI is “localized” – Requires invoking “doAs(...)” – Allows for concurrent execution as different users in one JVM
  • 17. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Enter SASL: authentication framework over a transport ⬢ SASL is a framework for building RPC systems with authentication ⬢ “Simple Authentication and Security Layer” RFC-4422 – “A framework for authentication and data security in Internet protocols” [1] – “decouples authentication mechanisms from application protocols”[1] • Generic Security Services Application Program Interface (GSSAPI) speaks Kerberos • DIGEST-MD5 an HTTP Digest authentication-like method (delegation tokens) – Data security aka Quality of Protection (QoP) • auth: Authentication only (default) • auth-int: Previous, and integrity check of message content • auth-conf: Previous, and encryption of message content [1] https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
  • 18. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Trust on an untrusted network ⬢ A Kerberos ticket implies a valid identity, not necessarily the identity you wanted ⬢ Kerberos relies on accurate/consistent DNS as the basis for a secure RPC model – Secure your DNS as much as your KDC ⬢ Recall the service principal from earlier – hbase/regionserver1.hbase.hwx.com@HORTONWORKS.COM ⬢ The instance must be a fully-qualified domain name ⬢ Clients need to know primary and instance must match DNS – “Caused by: KrbException: Identifier doesn't match expected value (906)” – “error Message is Server not found in Kerberos database”
  • 19. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Trust on an untrusted network Client Trusted ServiceGood DNS Rogue Service Bad DNS service/svc1.hwx.com@HORTONWORKS.CO M service/svc18.hwx.com@HORTONWORKS.CO M Sends RPC “service” at svc1.hwx.com Without enforcement of DNS naming via SASL, a client could be maliciously sent to a rogue service without the client realizing it happened.
  • 20. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Harping on DNS ⬢ DNS must be correct, consistent, and secure ⬢ Hostnames are advertised for discovery – Also benefits multi-homed networks ⬢ Forward and Reverse DNS mappings must be accurate on every node – `nslookup regionserver1.hbase.hwx.com` returns 10.0.0.1 – `nslookup 10.0.0.1` returns regionserver1.hbase.hwx.com ⬢ Check /etc/resolv.conf for quick troubleshooting
  • 21. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Recap: Kerberos authentication for HBase RPCs ⬢ Client and Server both obtain Kerberos ticket – Password or Keytab via UGI/JAAS/Ticket-Cache – Tickets must be renewed before they expire ⬢ SASL is the framework which HBase leverages for authenticated RPCs – GSSAPI as the SASL mechanism which can “speak” Kerberos – QoP defines the security of the RPC data (minimum of authentication) ⬢ Fully-qualified hostnames everywhere – Forward and reverse DNS must be consistent across all clients and servers
  • 22. © Hortonworks Inc. 2011 – 2016. All Rights Reserved The edge cases ⬢ Exceptions to how authentication works – YARN jobs – HBase REST and Thrift services ⬢ Not the traditional client/server model Kerberos was designed to fit – 100-1000’s of tasks concurrently requiring a ticket – Talk to HBase as a user without having that user’s credentials ⬢ Two approaches introduced to address these problems
  • 23. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Delegation Tokens ⬢ Earlier mentioned, SASL supports a variety of mechanisms – DIGEST-MD5 allows a digest-token style authentication scheme ⬢ Delegation token is a temporary ”password” which can authenticate a user – Slight compromise of security for performance ⬢ Circumvents authentication to the KDC, instead handled by HDFS or HBase ⬢ Automatically obtained during job submission and added to the job cache – We must rely on YARN to do the right thing If you thought Kerberos documentation for Hadoop/HBase was sparse…
  • 24. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Delegation Tokens Client HBase Master KDC Password/Keytab Keytab Obtain DT YARN Containers HBase RegionServers YARN ResourceManager Client Ticket and DT YARN Ticket and DT DT
  • 25. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Proxy Users ⬢ A proxy is some intermediate service that provides access to a backend service – HBase Thrift and REST services ⬢ Each of these services have its own Kerberos principal and keytab used to communicate with HBase ⬢ These services are accessing HBase on behalf of another user. – The ticket is for the service, but we want it to appear as if it is elserj@HORTONWORKS.COM ⬢ ProxyUsers refer to a set of configuration values in Hadoop (core-site.xml) – hadoop.proxyuser.SERVICE.{hosts,groups,users} ⬢ Configuration-based approach to allow services to “pretend” to be a user without actually having that user’s credentials
  • 26. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Proxy Users Client KDC Password/Keytab HBaseProxy Server Client Ticket Server Ticket (Client principal) Keytab Keytab Proxy Servers: HBase REST, HBase Thrift, Phoenix Query Server, etc
  • 27. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Kerberos authentication for HTTP-based services (SPNEGO) ⬢ The need to protect services using HTTP –Don’t want to reuse SASL ⬢ Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) RFC-4178 – The Negotiate HTTP header – Built into cURL (--negotiate), most Java-based HTTP libraries, and web-browsers ⬢ Web-browsers often need special configuration to properly authenticate. – Firefox: network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris – Chrome: --auth-server-whitelist="*.domain" --auth-negotiate-delegate-whitelist="*.domain"
  • 28. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Troubleshooting: Prerequisites ⬢ Ensure a recent version of your JVM and Hadoop – Bugs exist in UserGroupInformation for certain JVMs (vendor+version) ⬢ Ensure that the unlimited strength Java Cryptographic Extensions (JCE) are installed on all nodes in the cluster – And that clients/servers are using that JVM installation! – Required for AES-256 encryption type on Kerberos keys (which you will likely get by default) ⬢ Ensure that you have DEBUG logging enabled for HBase services – Potentially, org.apache.hadoop.hbase.ipc=DEBUG is sufficient ⬢ Set the sun.security.krb5.debug system property to true in your application – Or sun.security.spnego.debug for debugging SPNEGO
  • 29. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Troubleshooting: Tips ⬢ Remember that DNS is the cornerstone – When reading logs, make sure that you see the expected fully-qualified domain names – Do not assume that DNS is correct: verify it. ⬢ Determine if an RPC issue is authentication or authorization – If you see an HBase-level error, it is likely an authorization issue – If you only see transport/connection-setup errors, it is likely an authentication issue ⬢ Remember that tickets expire – Cross-reference ticket lifetimes with application logs ⬢ Read the logs. Actually read them. – A vast majority of errors can be solved with appropriate logging JVM-debugging
  • 30. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Reference Material ⬢ “Hadoop and Kerberos: The Madness beyond the Gate” – https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/index.html ⬢ Oracle documentation – http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html – https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5 LoginModule.html ⬢ MIT Kerberos documentation – http://web.mit.edu/kerberos/ ⬢ “Explain like I’m 5: Kerberos” (great low-level Kerberos write-up) – http://www.roguelynn.com/words/explain-like-im-5-kerberos/ ⬢ KDiag: “Kerberos diagnostics for Hadoop” –Apache Hadoop >=2.8 or https://github.com/steveloughran/kdiag
  • 31. © Hortonworks Inc. 2011 – 2016. All Rights Reserved Developing with Kerberos ⬢ Apache Directory’s Kerby project – Great for Kerberos authentication without Hadoop in the picture – http://directory.apache.org/kerby/downloads.html ⬢ Apache Hadoop’s MiniKDC – Built on top of Apache Directory – https://github.com/apache/hadoop/blob/release-2.7.3-RC2/hadoop-common-project/hadoop- minikdc/src/main/java/org/apache/hadoop/minikdc/MiniKdc.java ⬢ Support in HDFS, YARN, and HBase MiniCluster classes too No excuse to not write tests! Apache Directory is a trademark of the Apache Software Foundation
  • 32. © Hortonworks Inc. 2011 – 2016. All Rights Reserved© Hortonworks Inc. 2011 – 2016. All Rights Reserved Thanks! Email: elserj@apache.org Twitter: @josh_elser 3dom via https://www.flickr.com/photos/steve_l/6674480535/in/album-72157629289333057/, CC-BY-NC Thanks to those who gave feedback along the way: Brandon Wilson, Bryan Bende, Michael Stack, Randy Gelhausen, Steve Loughran.