ss77892 commented on code in PR #4717: URL: https://github.com/apache/hbase/pull/4717#discussion_r951768699
########## src/main/asciidoc/_chapters/security.adoc: ########## @@ -675,6 +675,228 @@ For more information about ACLs, please see the <<hbase.accesscontrol.configurat It should be possible for clients to authenticate with the HBase cluster through the REST gateway in a pass-through manner via SPNEGO HTTP authentication. This is future work. +== Transport Level Security (TLS) in HBase RPC communication + +Since version `2.6.0` HBase supports TLS encryption in server-client and Master-RegionServer communication. +link:https://en.wikipedia.org/wiki/Transport_Layer_Security/[Transport Layer Security (TLS)] is a standard +cryptographic protocol designed to provide communications security over a computer network. HBase TLS implementation +works exactly how secure websites are accessed via *https* prefix in a web browser: once established all communication +on the channel will be securely hidden from malicious access. + +The encryption works at the transport level which means it's independent of the configured authentication method. Secure +client access mentioned in the previous section requires Kerberos to be configured and used in HBase authentication, while +TLS can be configured with any other SASL mechanism or even with simple client access methods, effectively preventing +attackers from eavesdropping the communication. No Kerberos KDC or other complicated infrastructure required. + +HBase TLS is based on the Netty library therefore it only works with Netty client and server RPC implementation. Netty's +powerful SSL implementation is a great foundation for highly secure and performant communication providing the latest and +greatest cryptographic solution at all times. + +Since Region Servers effectively work as clients from Master's perspective, TLS supports encrypted communication +between cluster members too. + +=== Server side configuration + +We need to setup Java key store for the server. Key store is the list of private keys that a server can use to configure TLS +encryption. See link:https://en.wikipedia.org/wiki/Transport_Layer_Security/[TLS wikipedia page] +for further details of the protocol. Add the following configuration to `hbase-site.xml` on Master, Region Servers and HBase +clients: + +[source,xml] +---- +<property> + <name>hbase.server.netty.tls.enabled</name> + <value>true</value> +</property> +<property> + <name>hbase.rpc.tls.keystore.type</name> + <value>JKS</value> +</property> +<property> + <name>hbase.rpc.tls.keystore.location</name> + <value>/path/to/keystore.jks</value> +</property> +<property> + <name>hbase.rpc.tls.keystore.password</name> + <value>keyStor3pa$$w0rd</value> Review Comment: I would say that we should avoid putting passwords in the configuration file at all costs. Possible the hdfs approach when you have the default password/password received through the environment variable/a special file that contains the password would be more suitable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org