Support user authentication using Kerberos

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Added
 
+- Support user authentication using Kerberos ([#436]).
 - More CRD documentation ([#425]).
 
 ### Changed
@@ -18,6 +19,7 @@
 
 
 [#425]: https://github.com/stackabletech/hbase-operator/pull/425
+[#436]: https://github.com/stackabletech/hbase-operator/pull/436
 [#438]: https://github.com/stackabletech/hbase-operator/pull/438
 
 ## [23.11.0] - 2023-11-24

Cargo.toml

@@ -15,6 +15,7 @@ built = { version = "0.6", features = ["chrono", "git2"] }
 clap = "4.3"
 fnv = "1.0"
 futures = { version = "0.3", features = ["compat"] }
+indoc = "2.0"
 rstest = "0.18"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"

deploy/helm/hbase-operator/crds/crds.yaml

@@ -31,6 +31,26 @@ spec:
                 clusterConfig:
                   description: Configuration that applies to all roles and role groups. This includes settings for logging, ZooKeeper and HDFS connection, among other things.
                   properties:
+                    authentication:
+                      description: Settings related to user [authentication](https://docs.stackable.tech/home/nightly/usage-guide/security).
+                      nullable: true
+                      properties:
+                        kerberos:
+                          description: Kerberos configuration.
+                          properties:
+                            secretClass:
+                              description: Name of the SecretClass providing the keytab for the HBase services.
+                              type: string
+                          required:
+                            - secretClass
+                          type: object
+                        tlsSecretClass:
+                          default: tls
+                          description: Name of the SecretClass providing the tls certificates for the WebUIs.
+                          type: string
+                      required:
+                        - kerberos
+                      type: object
                     hdfsConfigMapName:
                       description: Name of the [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for an HDFS cluster.
                       type: string

docs/modules/hbase/pages/reference/discovery.adoc

@@ -36,4 +36,11 @@ The resulting discovery ConfigMap is located at `{namespace}/{cluster-name}`.
 The ConfigMap data values are formatted as Hadoop XML files which allows simple mounting of that ConfigMap into pods that require access to HBase.
 
 `hbase-site.xml`::
-Contains the `hbase.zookeeper.quorum` property.
+Contains the needed information to connect to Zookeeper and use that to establish a connection to HBase.
+
+=== Kerberos
+In case Kerberos is enabled according to the xref:usage-guide/security.adoc[security documentation], the discovery ConfigMap also includes the information that clients must authenticate themselves using Kerberos.
+
+If you want to use the discovery ConfigMap outside Stackable services, you need to substitute `${env.KERBEROS_REALM}` with your actual realm (e.g. by using `sed -i -e 's/${{env.KERBEROS_REALM}}/'"$KERBEROS_REALM/g" hbase-site.xml`).
+
+One example would be the property `hbase.master.kerberos.principal` being set to `hbase/hbase.default.svc.cluster.local@${env.KERBEROS_REALM}`.

docs/modules/hbase/pages/usage-guide/security.adoc

@@ -0,0 +1,60 @@
+= Security
+
+== Authentication
+Currently the only supported authentication mechanism is Kerberos, which is disabled by default.
+For Kerberos to work a Kerberos KDC is needed, which the users need to provide.
+The xref:home:secret-operator:secretclass.adoc#backend-kerberoskeytab[secret-operator documentation] states which kind of Kerberos servers are supported and how they can be configured.
+
+=== 1. Prepare Kerberos server
+To configure HDFS to use Kerberos you first need to collect information about your Kerberos server, e.g. hostname and port.
+Additionally, you need a service-user which the secret-operator uses to create principals for the HDFS services.
+
+=== 2. Create Kerberos SecretClass
+Afterwards you need to enter all the needed information into a SecretClass, as described in xref:home:secret-operator:secretclass.adoc#backend-kerberoskeytab[secret-operator documentation].
+The following guide assumes you have named your SecretClass `kerberos`.
+
+=== 3. Configure HDFS to use SecretClass
+The next step is to configure your HdfsCluster to use the newly created SecretClass.
+Please follow the xref:hdfs:usage-guide/security.adoc[HDFS security guide] to set up and test this.
+Please watch out to use the SecretClass named `kerberos`.
+
+=== 4. Configure HBase to use SecretClass
+The last step is to configure the same SecretClass for HBase, which is done similar to HDFS.
+
+IMPORTANT: HDFS and HBase need to use the same SecretClass (or at least use the same underlying Kerberos server).
+
+[source,yaml]
+----
+spec:
+  clusterConfig:
+    authentication:
+      tlsSecretClass: tls # Optional, defaults to "tls"
+      kerberos:
+        secretClass: kerberos # Put your SecretClass name in here
+----
+
+The `kerberos.secretClass` is used to give HBase the possibility to request keytabs from the secret-operator.
+
+The `tlsSecretClass` is needed to request TLS certificates, used e.g. for the Web UIs.
+
+=== 5. Verify that Kerberos authentication is required
+Shell into the `hbase-master-default-0` Pod and execute the following commands:
+
+1. `kdestroy` (just in case you run `kinit` in the Pod already in the past)
+2. `echo 'list;' | bin/hbase shell`
+
+The last command should fail with the error message `ERROR: Found no valid authentication method from options`.
+You can also check the RestServer by calling `curl -v --insecure https://hbase-restserver-default:8081`, which should return `HTTP ERROR 401 Authentication required`.
+
+=== 6. Access HBase
+In case you want to access your HBase it is recommended to start up a client Pod that connects to HBase, rather than shelling into the master.
+We have an https://github.com/stackabletech/hbase-operator/blob/main/tests/templates/kuttl/kerberos/41-access-hbase.yaml.j2[integration test] for this exact purpose, where you can see how to connect and get a valid keytab.
+
+== Authorization
+Together with Kerberos authorization is enabled.
+You need to explicitly grant table permissions to all users.
+E.g. the integration tests run `grant 'testuser', 'C';` to grant the testuser the permission to create tables.
+
+== Wire encryption
+In case Kerberos is enabled, `Privacy` mode is used for best security.
+Wire encryption without Kerberos as well as other wire encryption modes are *not* supported.

docs/modules/hbase/partials/nav.adoc

@@ -3,6 +3,7 @@
 ** xref:hbase:getting_started/first_steps.adoc[]
 * xref:hbase:usage-guide/index.adoc[]
 ** xref:hbase:usage-guide/listenerclass.adoc[]
+** xref:hbase:usage-guide/security.adoc[]
 ** xref:hbase:usage-guide/resource-requests.adoc[]
 ** xref:hbase:usage-guide/phoenix.adoc[]
 ** xref:hbase:usage-guide/compression.adoc[]
@@ -19,4 +20,4 @@
 *** {crd-docs}/hbase.stackable.tech/hbasecluster/v1alpha1/[HbaseCluster {external-link-icon}^]
 ** xref:hbase:reference/discovery.adoc[]
 ** xref:hbase:reference/commandline-parameters.adoc[]
-** xref:hbase:reference/environment-variables.adoc[]
+** xref:hbase:reference/environment-variables.adoc[]