You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by okoza <ok...@goodgamestudios.com> on 2015/06/04 15:09:58 UTC
Brief Explanation of HBase Connection/Security ansd help with java
connection to remote Hbase
Hey Guys, I'm new to HBase and trying to connect to it via Java Code. Now for
a lot of hours I've been reading and trying stuff, but I can't seem to wrap
my head around it.
So maybe somebody could give me a short explanation of
-How I can connect to HBase
-How I can authenticate to HBase (Keywords SASL and Kerberos, are there
other methods?)
(both in a Java context).
I can access HBase via console with an ssh and user/pw combination, how do i
model that in Java?
My code at the moment is:
Configuration conf = new Configuration();
System.out.println("yoooo parentnode: " +
conf.get("zookeeper.znode.parent"));
conf.set("hbase.zookeeper.quorum", ZOOKEEPER_QUORUM);
conf.set("hbase.zookeeper.property.clientPort",
CLIENT_PORT_ZOOKEEPER);
Configuration hc = HBaseConfiguration.create(conf);
HTableDescriptor ht = new HTableDescriptor("User");
ht.addFamily(new HColumnDescriptor("Id"));
ht.addFamily(new HColumnDescriptor("Name"));
System.out.println("connecting");
HBaseAdmin hba = new HBaseAdmin(hc);
System.out.println("Creating Table");
// hba.createTable(ht);
System.out.println("Done......");
Which leads me to this exception: 14:32:24,033 WARN
[org.apache.zookeeper.client.ZooKeeperSaslClient] (default
task-27-SendThread(10.0.7.37:5181)) Could not login: the client is being
asked for a password, but the Zookeeper client code does not currently
support obtaining a password from the user. Make sure that the client is
configured to use a ticket cache (using the JAAS configuration setting
'useTicketCache=true)' and restart the client. If you still get this message
after that, the TGT in the ticket cache has expired and must be manually
refreshed. To do so, first determine if you are using a password or a
keytab. If the former, run kinit in a Unix shell in the environment of the
user who is running this Zookeeper client using the command 'kinit <princ>'
(where <princ> is the name of the client's Kerberos principal). If the
latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the
Kerberos principal, and <keytab> is the location of the keytab file). After
manually refreshing your cache, restart this client. If you continue to see
this message after manually refreshing your cache, ensure that your KDC
host's clock is in sync with this host's clock.
Am I on the right path or completely off? I know there are lots of posts
about that on here and StackOverflow etc. but I can't seem to figure it out.
Thanksss for any help!!!
--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Brief-Explanation-of-HBase-Connection-Security-ansd-help-with-java-connection-to-remote-Hbase-tp4072116.html
Sent from the HBase Developer mailing list archive at Nabble.com.
Re: Brief Explanation of HBase Connection/Security ansd help with
java connection to remote Hbase
Posted by okoza <ok...@goodgamestudios.com>.
Thanks for the reply! I am now trying to create a jaas.conf in my HBase
client, but I'm not sure which module to use, because the examples i found
are usually for Kerberos and we don't have that set up. On server side login
is validated against LDAP, so basically I just want to pass username +
password to the server and have it telling me wether I am granted access or
not.
I found this example:
http://wso2.com/library/tutorials/2014/05/enabling-sasl-authentication-between-wso2-message-broker-and-zookeeper-cluster/
which is close to what I need in my opinion, but I have to declare users and
passwords on the server configuration, which is wrong I think, beacuse I
want LDAP to do the validation.
Here are the modules provided by Java, can I use one of those?
https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/package-summary.html
Regards
Ole
--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Brief-Explanation-of-HBase-Connection-Security-ansd-help-with-java-connection-to-remote-Hbase-tp4072116p4072188.html
Sent from the HBase Developer mailing list archive at Nabble.com.
Re: Brief Explanation of HBase Connection/Security ansd help with
java connection to remote Hbase
Posted by Eugene Koontz <ek...@hiro-tan.org>.
Hi Okoza,
From the error message, it looks like Zookeeper is configured to
SASL-authenticate the clients. You need to set up your HBase client
configuration so that will connect to Zookeeper using SASL. Usually
these files are kept in /etc/hbase/conf. After editing these files, the
Configuration object in your code will hopefully have the correct
contents with respect to Zookeeper authentication.
Have a look at:
http://hbase.apache.org/0.94/book/zk.sasl.auth.html
https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-2.html
http://www.cloudera.com/content/cloudera/en/documentation/cdh4/v4-3-2/CDH4-Security-Guide/cdh4sg_topic_8_2.html
-Eugene
On 04/06/15 06:09 AM, okoza wrote:
> Hey Guys, I'm new to HBase and trying to connect to it via Java Code. Now for
> a lot of hours I've been reading and trying stuff, but I can't seem to wrap
> my head around it.
> So maybe somebody could give me a short explanation of
> -How I can connect to HBase
> -How I can authenticate to HBase (Keywords SASL and Kerberos, are there
> other methods?)
> (both in a Java context).
>
> I can access HBase via console with an ssh and user/pw combination, how do i
> model that in Java?
> My code at the moment is:
>
> Configuration conf = new Configuration();
> System.out.println("yoooo parentnode: " +
> conf.get("zookeeper.znode.parent"));
> conf.set("hbase.zookeeper.quorum", ZOOKEEPER_QUORUM);
> conf.set("hbase.zookeeper.property.clientPort",
> CLIENT_PORT_ZOOKEEPER);
>
> Configuration hc = HBaseConfiguration.create(conf);
>
> HTableDescriptor ht = new HTableDescriptor("User");
>
> ht.addFamily(new HColumnDescriptor("Id"));
>
> ht.addFamily(new HColumnDescriptor("Name"));
>
> System.out.println("connecting");
>
> HBaseAdmin hba = new HBaseAdmin(hc);
>
> System.out.println("Creating Table");
>
> // hba.createTable(ht);
>
> System.out.println("Done......");
>
>
> Which leads me to this exception: 14:32:24,033 WARN
> [org.apache.zookeeper.client.ZooKeeperSaslClient] (default
> task-27-SendThread(10.0.7.37:5181)) Could not login: the client is being
> asked for a password, but the Zookeeper client code does not currently
> support obtaining a password from the user. Make sure that the client is
> configured to use a ticket cache (using the JAAS configuration setting
> 'useTicketCache=true)' and restart the client. If you still get this message
> after that, the TGT in the ticket cache has expired and must be manually
> refreshed. To do so, first determine if you are using a password or a
> keytab. If the former, run kinit in a Unix shell in the environment of the
> user who is running this Zookeeper client using the command 'kinit <princ>'
> (where <princ> is the name of the client's Kerberos principal). If the
> latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the
> Kerberos principal, and <keytab> is the location of the keytab file). After
> manually refreshing your cache, restart this client. If you continue to see
> this message after manually refreshing your cache, ensure that your KDC
> host's clock is in sync with this host's clock.
>
> Am I on the right path or completely off? I know there are lots of posts
> about that on here and StackOverflow etc. but I can't seem to figure it out.
> Thanksss for any help!!!
>
>
>
> --
> View this message in context: http://apache-hbase.679495.n3.nabble.com/Brief-Explanation-of-HBase-Connection-Security-ansd-help-with-java-connection-to-remote-Hbase-tp4072116.html
> Sent from the HBase Developer mailing list archive at Nabble.com.
Re: Brief Explanation of HBase Connection/Security ansd help with
java connection to remote Hbase
Posted by okoza <ok...@goodgamestudios.com>.
Actually we're not using HBase, but MapR with underlying MapR-DB. I figured
since I still have to use the HBase Java API the connection would be the
same, which is not the case since MapR uses their own security system. So
now I am trying to figure out how to do it via JAAS or JPAM (since we're not
using Kerberos), not entirely sure yet. But this doesn't really belong in
this forum I think (except somebody could provide me with an example ;)
So sorry for the inconvenience!
--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Brief-Explanation-of-HBase-Connection-Security-ansd-help-with-java-connection-to-remote-Hbase-tp4072116p4072142.html
Sent from the HBase Developer mailing list archive at Nabble.com.
Re: Brief Explanation of HBase Connection/Security ansd help with
java connection to remote Hbase
Posted by Ted Yu <yu...@gmail.com>.
I assume you have read
http://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation
http://hbase.apache.org/book.html#hbase.secure.simpleconfiguration
Do you run external zookeeper quorum ? See:
http://hbase.apache.org/book.html#_external_zookeeper_configuration
Which hbase release are you using ?
Cheers
On Thu, Jun 4, 2015 at 6:09 AM, okoza <ok...@goodgamestudios.com>
wrote:
> Hey Guys, I'm new to HBase and trying to connect to it via Java Code. Now
> for
> a lot of hours I've been reading and trying stuff, but I can't seem to wrap
> my head around it.
> So maybe somebody could give me a short explanation of
> -How I can connect to HBase
> -How I can authenticate to HBase (Keywords SASL and Kerberos, are there
> other methods?)
> (both in a Java context).
>
> I can access HBase via console with an ssh and user/pw combination, how do
> i
> model that in Java?
> My code at the moment is:
>
> Configuration conf = new Configuration();
> System.out.println("yoooo parentnode: " +
> conf.get("zookeeper.znode.parent"));
> conf.set("hbase.zookeeper.quorum", ZOOKEEPER_QUORUM);
> conf.set("hbase.zookeeper.property.clientPort",
> CLIENT_PORT_ZOOKEEPER);
>
> Configuration hc = HBaseConfiguration.create(conf);
>
> HTableDescriptor ht = new HTableDescriptor("User");
>
> ht.addFamily(new HColumnDescriptor("Id"));
>
> ht.addFamily(new HColumnDescriptor("Name"));
>
> System.out.println("connecting");
>
> HBaseAdmin hba = new HBaseAdmin(hc);
>
> System.out.println("Creating Table");
>
> // hba.createTable(ht);
>
> System.out.println("Done......");
>
>
> Which leads me to this exception: 14:32:24,033 WARN
> [org.apache.zookeeper.client.ZooKeeperSaslClient] (default
> task-27-SendThread(10.0.7.37:5181)) Could not login: the client is being
> asked for a password, but the Zookeeper client code does not currently
> support obtaining a password from the user. Make sure that the client is
> configured to use a ticket cache (using the JAAS configuration setting
> 'useTicketCache=true)' and restart the client. If you still get this
> message
> after that, the TGT in the ticket cache has expired and must be manually
> refreshed. To do so, first determine if you are using a password or a
> keytab. If the former, run kinit in a Unix shell in the environment of the
> user who is running this Zookeeper client using the command 'kinit <princ>'
> (where <princ> is the name of the client's Kerberos principal). If the
> latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the
> Kerberos principal, and <keytab> is the location of the keytab file). After
> manually refreshing your cache, restart this client. If you continue to see
> this message after manually refreshing your cache, ensure that your KDC
> host's clock is in sync with this host's clock.
>
> Am I on the right path or completely off? I know there are lots of posts
> about that on here and StackOverflow etc. but I can't seem to figure it
> out.
> Thanksss for any help!!!
>
>
>
> --
> View this message in context:
> http://apache-hbase.679495.n3.nabble.com/Brief-Explanation-of-HBase-Connection-Security-ansd-help-with-java-connection-to-remote-Hbase-tp4072116.html
> Sent from the HBase Developer mailing list archive at Nabble.com.
>