Access two secured (Kerberos) Hadoop / HBase clusters from the same process

Question

I have a Java tool that copies a few rows of data from one HBase cluster to another (call them ClusterA and ClusterB). This worked fine when neither clusters are secured:

Configuration configA = Utilities.makeHBaseConfig("configA.xml");
Configuration configB = Utilities.makeHBaseConfig("configB.xml");
HTable tableA = new HTable(configA, input_table);
HTable tableB = new HTable(configB, output_table);
tableA.get(...)
tableB.put(...)

Note: The Utilities.makeHBaseConfig() method loads the zookeeper quorum settings from a configuration file.

Now, I am trying to do this from an unsecured cluster to a secured one. Soon, the unsecured cluster will get upgraded to Kerberos authentication and so I will need to copy data between two different Kerberos-authenticated clusters.

I use the following code to login to one cluster, using a keytab file:

Configuration configA = Utilities.makeHBaseConfig("configA.xml");
File keyTab = new File(keytab_path).getCanonicalPath();
configA.set(HBASE_KEY_TAB_FILE_KEY, keyTab);
configA.set(HADOOP_SECURITY_AUTHORIZATION, "true");
configA.set(HADOOP_SECURITY_AUTHENTICATION, "Kerberos");
UserGroupInformation.setConfiguration(configA);
UserGroupInformation.loginUserFromKeytab(user, keyTab);

This works fine for operations on only one cluster. However, the setConfiguration() and loginUserFromKeytab() are static methods. If I create a second configuration object configB to access ClusterB, like this:

Configuration configB = Utilities.makeHBaseConfig("configB.xml");

Then I am no longer able to load from ClusterB because I am logged into ClusterA. A call like "tableB.get(...)" just hangs.

So how can I access two different clusters with different authentication?

Answer 1

If the 2 two clusters are using a same KDC, you can try to use same Kerberos principal username and domain/realm for both clusters. Then, the single keyTab file is valid for both clusters.