Adding troubleshooting for Kerberos (#702)

Maleware · sbernauer · web-flow · commit eb27ad01cd77 · 2025-12-10T09:10:21.000Z
* Adding troubleshooting for kerberos

* Updating xref references

* Adding newline eof

* Add suggestions

Co-authored-by: Sebastian Bernauer &lt;sebastian.bernauer@stackable.de&gt;

* Adding jvm-argument-overrides link

* Fixing link to applications.adoc

* revert changes

* another change to the xref link

* Move troubleshooting to be consistent with other operators

---------

Co-authored-by: Sebastian Bernauer &lt;sebastian.bernauer@stackable.de&gt;
diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc
@@ -0,0 +1,40 @@
+= Troubleshooting
+
+== HBase access with Kerberos authentication
+
+Currently, xref:zookeeper:index.adoc[Zookeeper] stacklets can only be secured using mutual TLS.
+This means, if an application tries to connect to HBase, it would contact Zookeeper to figure the correct HBase nodes to talk to.
+In a Java world, you would define a `Client` which would carry the Kerberos requirements.
+
+However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide/operations/applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint.
+This will result in a Kerberos ( authentication ) error.
+
+To prevent this, you can set a xref:concepts:overrides.adoc#jvm-argument-overrides[JVM argument] like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase:
+
+[source,yaml]
+----
+jvmArgumentOverrides:
+  add:
+    - "-Dzookeeper.sasl.client=false"
+----
+
+
+== Additional stack-traces
+
+To add more useful information to stack-traces caused by RPC issues, the xref:concepts:overrides.adoc#config-overrides[Config overrides documentation] can be used to replace the default Netty implementation:
+
+[source,yaml]
+----
+masters:
+  roleGroups:
+    default:
+      configOverrides:
+        hbase-site.xml:
+          hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient"
+regionServers:
+  roleGroups:
+    default:
+      configOverrides:
+        hbase-site.xml:
+          hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient"
+----
diff --git a/docs/modules/hbase/pages/usage-guide/troubleshooting.adoc b/docs/modules/hbase/pages/usage-guide/troubleshooting.adoc
diff --git a/docs/modules/hbase/partials/nav.adoc b/docs/modules/hbase/partials/nav.adoc
@@ -13,7 +13,6 @@
 ** xref:hbase:usage-guide/hbck2.adoc[]
 ** xref:hbase:usage-guide/snapshot-export.adoc[]
 ** xref:hbase:usage-guide/adls.adoc[]
-** xref:hbase:usage-guide/troubleshooting.adoc[]
 ** xref:hbase:usage-guide/operations/index.adoc[]
 *** xref:hbase:usage-guide/operations/cluster-operations.adoc[]
 *** xref:hbase:usage-guide/operations/pod-placement.adoc[]
@@ -25,3 +24,4 @@
 ** xref:hbase:reference/discovery.adoc[]
 ** xref:hbase:reference/commandline-parameters.adoc[]
 ** xref:hbase:reference/environment-variables.adoc[]
+* xref:hbase:troubleshooting/index.adoc[]
