Reply
Highlighted
New Contributor
Posts: 2
Registered: ‎08-22-2018
Accepted Solution

HBase simple authorization group permissions not working

Hi, I am running a simple Training cluster (non kerberized) on CDH 5.14.4. I was asked to enable HBase simple authorization just to prevent users accidently overwriting with each others HBase tables. However I've found that after enabling hbase simple authorization following the guide: https://www.cloudera.com/documentation/enterprise/5-14-x/topics/cdh_sg_hbase_authorization.html . and attempting to add some group permissions that I still get access denied errors even though the group exists locally on the active namenode and the group appears to be mapped correctly (appears in whoami as user)

 

eg.

 

on the active namenode:

> id user1

uid=10099(user1) gid=10099(user1) groups=10000(admin),10099(user1)

> sudo -u hbase hbase shell

hbase(main):001:0> user_permission

@admin               hbase,hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]

hbase(main):001:0> exit

(as user1) > hbase shell

hbase(main):001:0> whoami

user1 (auth:SIMPLE)
    groups: user1, admin

hbase(main):001:0> user_permission

User                  Namespace,Table,Family,Qualifier:Permission

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN)
        at org.apache.hadoop.hbase.security.access.AccessController.requireGlobalPermission(AccessController.java:546)
        at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:522)
        at org.apache.hadoop.hbase.security.access.AccessController.getUserPermissions(AccessController.java:2335)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.getUserPermissions(AccessControlProtos.java:9949)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10107)
        at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:7996)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:1986)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:1968)
        at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:33652)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2191)
        at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:183)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:163)

 

 

Posts: 1,748
Kudos: 365
Solutions: 277
Registered: ‎07-31-2013

Re: HBase simple authorization group permissions not working

HBase authz will not consult NameNode for groups but rather will check it
local to each serving RegionServer handling the request.

Ensure your Linux user and groups are consistent across _all_ cluster hosts
for a predicable result with any authorization feature.
New Contributor
Posts: 2
Registered: ‎08-22-2018

Re: HBase simple authorization group permissions not working

That worked, thanks very much.

 

I'd missed this difference between HBase and HDFS.

Announcements