X

Oracle Big Data Spatial and Graph - technical tips, best practices, and news from the product team

Connecting a Windows Client to Oracle Big Data Spatial and Graph Property Graph Stored in a Secure Apache HBase

Alan Wu
Architect

This is a joint work with Hugo Hlabra, Gabriela Montiel (primary contributors), and Juan Fco. Garcia.

This blog post shows detailed steps on how a client
application running on Windows (Windows 7) can communicate with a secure CDH
cluster and use property graph stored in a secure Apache HBase.

In the following, we
will demonstrate how to configure your Windows machine to authenticate to a
Kerberos KDC in order to access property graph data stored in a secure Apache HBase.
To get started, we need to configure the windows client machine so it is able
to locate the KDC and obtain a ticket to authenticate itself to the secure Apache
HBase service. To do this, we need to create a Kerberos configuration file krb5.ini
(equivalent to krb5.conf on Linux OS) in
the Windows/ directory.

The following are two options to create the Kerberos
configuration file:

  • Navigate to the Windows
    directory under "C:\Windows" and create/edit a file
    named "krb5.ini" with the following
    contents:

[domain_realm]

.example.com = "EXAMPLE.COM"

example.com = "EXAMPLE.COM"


[libdefaults]

default_realm = "EXAMPLE.COM"


[realms]

EXAMPLE.COM = {

admin_server = "myhost.example.com"

kdc = "myhost.example.com"

master_kdc = "myhost.example.com"

}

You must configure the realm name,
the realm mappings and the KDC server according to the Kerberos realm and KDC specified in the Kerberos configuration
of the machines where the secure Apache HBase uses (in this case EXAMPLE.COM).In
order to successfully obtain a ticket using Kerberos, it is important that you
have a default_realm specified in the
"libdefaults" section. If you don't have any default realm specified,
you should use the realm specified in the Kerberos configuration used
with
the secure Apache HBase. With this configuration, your Windows machine will be
able to find the realm and get a ticket from the KDC.

  • Use a graphical user
    interface to create and configure the file through the Network Identity
    Manager software provided by the MIT. To do so:

  1. Download
    the MIT Kerberos software from the following url:
    http://web.mit.edu/kerberos/dist/kfw/3.2/kfw-3.2.1/kfw-3-2-1.exe

  2. Execute
    the downloaded file and follow the instructions below to install it.

    1. Choose
      a language from the combo box and click Ok.

    2. Click
      Next on the welcome screen of the installer.

    3. Accept
      the license by clicking the "I
      agree" button.

    4. Select
      the components to install (as a minimum you must select the KfW client) and
      click Next.

    5. Select
      a location to install the program and click Next.

    6. Select the "Use packaged configuration files for the ATHENA.MIT.EDU realm."
      option and click Next (This step option create the krb5.ini file for you).

    7. Select if you want to auto start this
      software with your Windows login (as we are only using this software to create
      the krb5.ini file, you can deselect this option) and click Install.

    8. Wait for the installer to finish and click
      Finish.

  3. Use
    the Start button from Windows, and from the "Kerberos for Windows" directory open the Network Identity
    Manager software. Be sure to run it as administrator by right clicking on it.

  4. On the menu bar, click "Options" and then "Kerberos v5…"

  5. Navigate to the "Realms" section
    and click in the "<New realm…>" table to create an entry

  6. Configure the realm entry according to the
    Kerberos realm and KDC specified in the Kerberos configuration of the machines that the secure Apache HBase uses.:

Click Ok.

After following these steps your Windows machine will have the
krb5.ini file created and configured to contact your KDC and get a ticket from
it.

Assume Oracle Big
Data Spatial and Graph is installed under a directory on the Windows machine. For
simplicity, we refer to this directory as %OPG_HOME%.  The property
graph directory should contain the following structure:

At this point we are ready to connect to the
Secure Apache HBase and work use property graph features. To do so, it is
necessary to specify some additional security parameters to the
PgHbaseGraphConfigBuilder to denote the security authentication for Hadoop and
HBase, the Kerberos principals for Apache HBase Region server and master, as
well as the user credentials we will be using to connect to the database. Here
is an example code snippet of what your configuration should look like, be sure
to customize it for your own setup.

String szQuorum = "my.cdh.secure.host.com";

String szGraphName = "social_graph";

PgHbaseGraphConfigBuilder builder = GraphConfigBuilder.forPropertyGraphHbase();

builder = builder.setName(szGraphName);

builder = builder.setZkQuorum(szQuorum);

builder = builder.setZkClientPort(2181);

builder = builder.setInitialEdgeNumRegions(3);

builder = builder.setInitialVertexNumRegions(3);

// These parameters are use for secure HBase connections

// they should not be null neither empty

builder =
builder.setRsKerberosPrincipal("hbase/_HOST@EXAMPLE.COM");

builder =
builder.setHmKerberosPrincipal("hbase/_HOST@EXAMPLE.COM");

builder =
builder.setUserPrincipal(szArgs[0]);

builder =
builder.setHbaseSecAuth("kerberos");

builder =
builder.setHadoopSecAuth("kerberos");

builder =
builder.setKeytab(szArgs[1]);

builder = builder.setZkSessionTimeout(Integer.parseInt("3600"));

builder = builder.setMaxNumConnections(Integer.parseInt("4"));

PgHbaseGraphConfig config = builder.build();

OraclePropertyGraph opg = oracle.pg.hbase.OraclePropertyGraph.getInstance(config);

// Add a vertex

Vertex v1 = opg.addVertex(1l);

v1.setProperty("age", Integer.valueOf(18));

v1.setProperty("name", "Name");

v1.setProperty("weight", Float.valueOf(30.0f));

v1.setProperty("height", Double.valueOf(1.70d));

v1.setProperty("female", Boolean.TRUE);

opg.commit();

System.out.println("Fetch 1 vertex: " +
opg.getVertices().iterator().next());

opg.shutdown();

You can create a Java application with this code snippet and
compile it using a classpath with all the jar files located in the
%OPG_HOME%\lib directory as follows:

javac –cp %OPG_HOME%\lib\* YourJavaProgram.java

Finally, we need to configure one property that will tell
Hadoop how to match the principal names and be able to authenticate. In order
to do this, create a file with the name "core-site.xml"
and add the following content to it:

<configuration>

  <property>

    hadoop.security.auth_to_local

    <value>RULE:[1:$1]

    RULE:[2:$1]</value>

  </property>

</configuration>

Be sure to add the "core-site.xml"
file in the class path when running your Java program. With that set,
now
we are able to run our java program and successfully connect to a secure Apache
HBase cluster to create a Property Graph!

java –cp <directory_of_core-site.xml>;%OPG_HOME%\lib\*
YourJavaProgram.java <user> <path_to_keytab>

Be
sure to check our next entry, where we will show how to visualize a property
graph with Cytoscape and run interesting analytics, all in the realm of a
secure CDH setup!

Acknowledgement: thanks Jay Banerjee and Steven Serra for their input on this blog post.


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.