pinpoint icon indicating copy to clipboard operation
pinpoint copied to clipboard
verified publisher icon pinpoint-apm

Whether "pinpoint" supports kerberos setting

Open hsohans opened this issue 4 years ago • 11 comments

Hi, I have a question.

For security reasons, I want to configure kerberos on Hbase or Hadoop.

"We don't support setting kerberos in 2018." Is it the same now?

The link I checked is "https://github.com/pinpoint-apm/pinpoint/issues/3737".

Please answer about my question.

hsohans avatar Apr 29 '21 00:04 hsohans

Hello @hsohans

Kerberos can be configured at pinpoint.

Inherit the HbaseSecurityInterceptor interface, Implement the code for kerberos access. And the implemented class must be registered as a bean object.

The process method of the HbaseSecurityInterceptor class is called when establishing a connection with hbase.

  • https://github.com/pinpoint-apm/pinpoint/blob/379d312447eddd57439e50350fe01652aec3898b/commons-hbase/src/main/java/com/navercorp/pinpoint/common/hbase/ConnectionFactoryBean.java#L71

There is a sample code link.

minwoo-jung avatar Apr 29 '21 03:04 minwoo-jung

@minwoo-jung

thank you for telling me.

I'll apply it after checking that part.

hsohans avatar Apr 29 '21 05:04 hsohans

@minwoo-jung How about upgrading hbase-shaded-client version? Since HBase >= 2.2.0, hbase client supports client login via keytab. Pinpoint uses ConnectionFactory.createConnection already. However, it uses hbase-shaded-client 1.7.2. If it uses hbase-shaded-client >= 2.2.0, I think Pinpoint users can access kerberized HBase cluster also with following configurations.

<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>

<property>
  <name>hbase.client.keytab.file</name>
  <value>/local/path/to/client/keytab</value>
</property>

<property>
  <name>hbase.client.keytab.principal</name>
  <value>[email protected]</value>
</property>
  • https://issues.apache.org/jira/browse/HBASE-20886
  • https://github.com/apache/hbase/blob/e14b60a5390390369198bedad250c956ca61bd07/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionFactory.java#L52-L59

eubnara avatar May 24 '23 20:05 eubnara

@eubnara Hi I will check your comment.

minwoo-jung avatar May 26 '23 06:05 minwoo-jung

@eubnara From what you said, it looks like you only need to upgrade the hbase version. We already provide a hbase2-module using hbase-client version 2.4.11. I think you can use this module. What do you think?

minwoo-jung avatar May 26 '23 06:05 minwoo-jung

@eubnara In addition, we will end support for hbase 1.X soon. So, in the future, only the hbase 2.X version will be officially supported, and the hbase client version will also be set to use the 2.X version by default.

minwoo-jung avatar May 26 '23 06:05 minwoo-jung

Thanks for reply! I'll try to use hbase2 module first to access kerberized hbase.

eubnara avatar May 26 '23 06:05 eubnara

My teammate has been succeeded to connect kerberized hbase with hbase-site.xml added in classpath with configurations as follows: (according to hbase guide: https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation)

hbase.client.keytab.file
hbase.client.keytab.principal

eubnara avatar Jun 10 '23 14:06 eubnara

@eubnara Thanks for sharing your results. It will be very helpful for users.

minwoo-jung avatar Jun 12 '23 01:06 minwoo-jung

I have one suggestion. How about upgrading hbase2.client.version >= 2.5.0 to support hbase.unsafe.client.kerberos.hostname.disable.reversedns? (https://issues.apache.org/jira/browse/HBASE-25665) In k8s cluster environment, it is needed to disable reverse DNS lookup for some cases.

eubnara avatar Jul 04 '23 14:07 eubnara

@eubnara That's good info. We will upgrade the version to hbase client 2.5.x.

emeroad avatar Jul 05 '23 01:07 emeroad