question Re: kerberized HDP 2.4 - Hbase user not able to access table in Archives of Support Questions (Read Only)

kerberized HDP 2.4 - Hbase user not able to access table

karan_alang1 — Wed, 01 Feb 2017 04:37:39 GMT

screen-shot-2017-01-31-at-123441-pm.png

screen-shot-2017-01-31-at-123417-pm.png

hi All - i've a kerberized HDP 2.4 cluster, and i'm facing issue wherein user - hbase_user1 created is not able to 'see' the table, though access is provided to the user.

Here is what is done ->

1) User - logging in as user 'hbase_user1' to cluster

2) generated a valid kerberos ticket

[hbase_user1@sandbox ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1029 Default principal: hbase_user1@EXAMPLE.COM

Valid starting Expires Service principal 01/31/17 19:11:24 02/01/17 19:11:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 01/31/17 19:11:24

3) launch 'hbase shell' and fire command -> list

4) contents of log file shows that authorization for hbase_user1 is successful ->

----------------------------------------------------------------------------------------------------------------

tail -f /var/log/hbase/SecurityAuth.audit 2017-01-31 20:04:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:09:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35593 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:14:39,192 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39743 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface 2017-01-31 20:14:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35679 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:16:24,955 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:16:24,956 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39773 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:16:24,957 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface

-----------------------------------------------------------------------------------------------

However, the user is not able to see any of the tables. Attaching the screenshot of Ranger policies - Global access to HBase tables is blocked, while access is provided to tabe iemployee to user - hbase_user1.

Also, pls note : service user - hbase is able to access all hbase tables

What needs to be done to fix this access issue for user -> hbase_user1 ?

Any pointers on this would be appreciated.

Re: kerberized HDP 2.4 - Hbase user not able to access table

aervits — Wed, 01 Feb 2017 08:12:40 GMT

grant 'user', 'RWXCA', 'TABLE', 'CF', 'CQ'

https://hbase.apache.org/book.html#hbase.accesscontrol.configuration

You can review the following tutorial as well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/

Re: kerberized HDP 2.4 - Hbase user not able to access table

karan_alang1 — Wed, 01 Feb 2017 09:50:38 GMT

@Artem Ervits -

thanks, granting access to the user - hbase_user1 actually worked.

However, i'd already given access to the table using Apache Ranger. Shouldn't that have worked ?

What needs to be done to check/ensuure the Ranger integration with Hbase to control access ?

A few more details -

Actually, when i check the Ranger audit logs - the user 'hbase_user1' appears only till December 2nd, 2017 - screenshot

screen-shot-2017-01-31-at-60941-pm.png

This setup was created in Nov, and was working when i checked last year,

Attaching screenshots of the ranger policies. - global access to hbase is removed, and access to table - 'iemployee' is provided to user - hbase_user1.

screen-shot-2017-01-31-at-51919-pm.png

screen-shot-2017-01-31-at-51817-pm.png

Re: kerberized HDP 2.4 - Hbase user not able to access table

aervits — Wed, 01 Feb 2017 09:57:27 GMT

@Karan Alang you need to disable global allow policy and grant permissions per table, please review the section on hbase in our tutorial, it explains it well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/#hbase-grant-revoke

if any of the answers helped, please close the thread by accepting best answer.

Re: kerberized HDP 2.4 - Hbase user not able to access table

karan_alang1 — Wed, 01 Feb 2017 15:21:22 GMT

@Artem Ervits - wrt. your previous comment, i've done exactly that (pls see my comments above & also the screenshots attached in my previous comment)

i.e. 1) Disabled Global access to Hbase table

2) Given access to user - hbase_user1 to scan table 'iemployee'

This is done using Apache Ranger, for some reason the Ranger permissions are not being enforced.

Any ideas ?

When i provided the permissions on command-line, i was able to enforce permissions !

Re: kerberized HDP 2.4 - Hbase user not able to access table

aervits — Wed, 01 Feb 2017 22:13:55 GMT

@Karan Alang you still need to provide explicit policy even though ranger for hbase is enabled, once you run explicit grant/revoke, it will be propogated to Ranger. Please see our doc http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html all make sure your hbase service is configured correctly http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html

also double check ranger hbase plugin settings http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/hbase_plugin_kerberos.html