Granting a Kerberos principal permissions on a namespace + its tables

slm — Fri, 15 Jul 2016 05:37:07 GMT

In a previous question I inquired about namespaces and how to utilize them: https://community.hortonworks.com/questions/18552/introduction-of-hbase-namespaces-into-a-pre-existi.html.

Since then we've enabled our application to use them, and we're now working through getting our application to work with namespaces + Kerberos.

I understand that the service principal (SPN) that our application uses gets parsed down to just the base portion of the name. For example: <username>/<hostname>@REALM would result in having to grant <username> permissions on the namespace.

I went ahead and did this:

hbase(main):001:0> user_permission '@dev01osth'
User                                                     Namespace,Table,Family,Qualifier:Permission
 our_apps_user                                                dev01osth,,,: [Permission: actions=READ,WRITE,CREATE,EXEC,ADMIN]
1 row(s) in 0.4360 seconds

So it would appear that I have a proper user who has RWCEA permissions in this namespace. However when I then bring our applications .keytab file over and do a `kinit` using it on our HBase node I cannot perform any actions in an hbase shell as this user.

I would expect that this user would be able to `list` the tables in this namespace and also do `scans` of tables that are within this given namespace.

Errors in the hbase shell are as follows:

hbase(main):009:0> user_permission
User                                                     Namespace,Table,Family,Qualifier:Permission


ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'our_apps_user' (global, action=ADMIN)
	at org.apache.hadoop.hbase.security.access.AccessController.requireGlobalPermission(AccessController.java:531)
	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:507)
	at org.apache.hadoop.hbase.security.access.AccessController.getUserPermissions(AccessController.java:2273)
	at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.getUserPermissions(AccessControlProtos.java:9949)
	at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10107)
	at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:7459)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:1876)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:1858)
	at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32209)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2114)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:101)
	at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:130)
	at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:107)
	at java.lang.Thread.run(Thread.java:745)

Here is some help for this command:

and this:

hbase(main):008:0> user_permission '@dev01osth'
User                                                     Namespace,Table,Family,Qualifier:Permission


ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=our_apps_user/<hostname>@<REALM>, scope=dev01osth, params=[namespace=dev01osth],action=ADMIN)
	at org.apache.hadoop.hbase.security.access.AccessController.requireNamespacePermission(AccessController.java:588)
	at org.apache.hadoop.hbase.security.access.AccessController.getUserPermissions(AccessController.java:2264)
	at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.getUserPermissions(AccessControlProtos.java:9949)
	at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10107)
	at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:7459)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:1876)
	at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:1858)
	at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32209)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2114)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:101)
	at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:130)
	at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:107)
	at java.lang.Thread.run(Thread.java:745)

What am I missing here?

Re: Granting a Kerberos principal permissions on a namespace + its tables

Enis — Fri, 15 Jul 2016 06:47:19 GMT

Maybe a typo: "our_apps_user" is given permission, versus you are kinit'ing with "our_app_user".

Re: Granting a Kerberos principal permissions on a namespace + its tables

slm — Fri, 15 Jul 2016 10:33:21 GMT

Sorry that was a mistake when I sanitized the output taking work specific details out. The name is our_apps_user and it's not a typo.

Re: Granting a Kerberos principal permissions on a namespace + its tables

slm — Fri, 15 Jul 2016 10:41:28 GMT

It appears as though adding permissions on just the namespace is not sufficient for allowing a user access to the tables within it. I had to cascade the permissions to the tables themselves like so in an hbase shell:

list.each {|t| grant 'our_apps_user','RWCXA',t}

I did the above using the included hbase SPN in the hbase.headless.keytab.

$ kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-<servername>@<REALM>
$ hbase shell
...above command...

question Re: Granting a Kerberos principal permissions on a namespace + its tables in Archives of Support Questions (Read Only)

Granting a Kerberos principal permissions on a namespace + its tables

Re: Granting a Kerberos principal permissions on a namespace + its tables

Re: Granting a Kerberos principal permissions on a namespace + its tables

Re: Granting a Kerberos principal permissions on a namespace + its tables