将SPNEGO用于Web UI的Kerberos身份验证
通过使用 hbase-site.xml 中的 hbase.security.authentication.ui 属性配置 SPNEGO,可以启用对 HBase Web UI 的 Kerberos 身份验证(Kerberos-authentication)。启用此身份验证要求 HBase 也配置为对 RPC 使用 Kerberos 身份验证(例如,hbase.security.authentication
= kerberos
)。
<property>
<name>hbase.security.authentication.ui</name>
<value>kerberos</value>
<description>Controls what kind of authentication should be used for the HBase web UIs.</description>
</property>
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
<description>The Kerberos keytab file to use for SPNEGO authentication by the web server.</description>
</property>
存在许多用于为 Web 服务器配置 SPNEGO 身份验证的属性:
<property>
<name>hbase.security.authentication.spnego.kerberos.principal</name>
<value>HTTP/_HOST@EXAMPLE.COM</value>
<description>Required for SPNEGO, the Kerberos principal to use for SPNEGO authentication by the
web server. The _HOST keyword will be automatically substituted with the node's
hostname.</description>
</property>
<property>
<name>hbase.security.authentication.spnego.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
<description>Required for SPNEGO, the Kerberos keytab file to use for SPNEGO authentication by the
web server.</description>
</property>
<property>
<name>hbase.security.authentication.spnego.kerberos.name.rules</name>
<value></value>
`<description>`Optional, Hadoop-style auth_to_local rules which will be parsed and used in the
handling of Kerberos principals</description>
</property>
<property>
<name>hbase.security.authentication.signature.secret.file</name>
<value></value>
<description>Optional, a file whose contents will be used as a secret to sign the HTTP cookies
as a part of the SPNEGO authentication handshake. If this is not provided, Java's Random library
will be used for the secret.</description>
</property>