Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Cloudera Manager Hbase Visibility Labels

avatar
Contributor

hello,

 

I am trying to get my CDH 5.9 installation of Hbase working with visibility labels enabled through Cloudera Manager. In the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" I have set:

  • hfile.format.version to 3
  • hbase.coprocessor.region.classes to org.apache.hadoop.hbase.security.visibility.VisibilityController
  • hbase.coprocessor.master.classes to org.apache.hadoop.hbase.security.visibility.VisibilityController

After restart, I log in to the Hbase shell and try to "add_labels ['TESTLABEL'] and I am getting the error:

 

ERROR: DISABLED: Visibility labels feature is not available

 

Probably something simple that I am missing, but any ideas would be appreciated.

 

1 ACCEPTED SOLUTION

avatar
Cloudera Employee

 

For people using Cloudera Manager 5.7+ it also requires adding the following (4th parameter) to the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" in order to enable visibility labels:

<property>

<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

So the full list of parameters to enter into the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" when using Cloudera Manager 5.7+ is as follows:

<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

 

Customer Operations Engineer

View solution in original post

5 REPLIES 5

avatar
Master Collaborator

Immediately what comes to mind is that there are many safety valves at different scopes of the hbase service.

hbase.coprocessor.region.classes would be scoped to the regionserver safety valve, hbase.coprocessor.master.classes would be scoped to the master safety valve, etc.

 

additionally you can typically get away with putting things in the service wide safety valve since regionserver won't throw any errors on having hmaster specific config and vice versa. There are obviously cases where you want the same config item to be different for the different services.

 

you may already know this, but here is the cloudera article on setting this up:

https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cdh_ig_hbase_new_features_and_changes...

avatar
Mentor
What Ben said.

To be more specific, duplicate your config of "hfile.format.version" also into the field called "HBase Client Advanced Configuration Snippet (Safety Valve) for hbase-site.xml".

The HBase shell's labels related functions look for this value in the client configuration as a pre-check guard before they can be used.

avatar
Contributor

No joy...I still get this when I do list_labels:

 

ERROR: DISABLED: Visibility labels feature is not available

 

Still searching for a (definitive) configuration through Cloudera Manager that will actually turn on visibility labels in HBASE.

avatar
Cloudera Employee

 

For people using Cloudera Manager 5.7+ it also requires adding the following (4th parameter) to the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" in order to enable visibility labels:

<property>

<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

So the full list of parameters to enter into the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" when using Cloudera Manager 5.7+ is as follows:

<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

 

Customer Operations Engineer

avatar
Contributor
Confirmed....thanks for this.