Using Advanced Kerberos Authentication

If your HBase deployment supports Kerberos authentication through the REST API, then the Simba HBase ODBC Driver can authenticate the connection using Kerberos.

Advanced Kerberos authentication allows concurrent connections within the same process to use different Kerberos user principals. To handle multiple REST API connections with different principals, the connector creates cookie files to store Kerberos tickets for each ongoing connection session. The connector automatically removes the cookie files when the connection session is finished.

When you use Advanced Kerberos authentication, the connector generates the Kerberos credentials automatically based on the user name property (UID) defined for the connection. You do not need to run the kinit command to obtain a Kerberos ticket. Instead, you use a JSON file to map your HBase user name to a Kerberos user principal name and a keytab that contains the corresponding keys. The connector obtains Kerberos tickets based on the specified mapping. As a fallback, you can specify a keytab that the connector uses by default if the mapping file is not available or if no matching keytab can be found in the mapping file.

Note:

  • For information about the schema of the mapping file and how the connector handles invalid mappings, see UserMappingFile.
  • For information about how the connector searches for a keytab file if the keytab mapping and default keytab file are invalid, see DefaultKeytabFile.

To configure Advanced Kerberos authentication:

  1. To map the HBase user name to a principal and keytab file, write a JSON file using the same format as the following example, which maps the user name "simba" with the principal "simba@EXAMPLE.COM" and the keytab file "/tmp/simba.keytab":

    2. {

    "simba": {

    "principal" : "simba@EXAMPLE.COM",

    "keytabfile": "/tmp/simba.keytab"

    },

    ...

    }

  2. In your .odbc.ini file or connection string, set the AUTHTYPE property to 3.
  3. Set the UID property to an appropriate user name for accessing the HBase server.
  4. Set the UserMappingFile property to the full path of the JSON-formatted mapping file.
  5. Set the DefaultKeytabFile property to the full path of a keytab file that the connector can use if the mapping file is not available or if no matching keytab can be found in the mapping file.

You can now use the connector to authenticate through Kerberos and connect to your HBase database.

Related topics