Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Where do I control hbase namespace from ranger?

Labels:
avatar
author-rank sunile_manjee author-rank
Master Guru

Created on ‎02-23-2016 08:44 PM - edited ‎08-18-2019 05:30 AM

This option is available in ranger but I don't see it. I have ranger version .50. Screen shot:

2356-2016-02-23-14-40-02.jpg

As you can see from above nothing for namespace. Am I missing something?

7,849 Views
1 ACCEPTED SOLUTION

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎02-24-2016 09:40 PM

@Neeraj Sabharwal @Artem Ervits

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.

View solution in original post

6,870 Views
0 Kudos
11 REPLIES 11

avatar
author-rank aervits
Master Mentor

Created ‎02-23-2016 09:06 PM

Please see this https://issues.apache.org/jira/plugins/servlet/mobile#issue/RANGER-202

In the table section, specify the namespace with table together

6,028 Views

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎02-24-2016 08:48 PM

@Artem Ervits awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

6,028 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-24-2016 08:49 PM

@Sunile Manjee I doubt it, by design you need to specify namespace:table

6,028 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-23-2016 11:42 PM

@Sunile Manjee

See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks.

It looks like that Ramesh replied back https://community.hortonworks.com/questions/17764/ranger-hbase-namespace.html

Format:

To allow access to table(s) in a specific namespace, specify the table name with prefix as "<namespace>:<table>" - like "myNameSpace:table1", "myNamespace:*"

6,028 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created on ‎02-24-2016 01:51 AM - edited ‎08-18-2019 05:30 AM

@Sunile Manjee

Demo

my_ns1:my_table - demouser can access it

hbase(main):005:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

0 row(s) in 0.0340 seconds

hbase(main):006:0>

2371-screen-shot-2016-02-24-at-71946-am.png

I removed demouser in policy

hbase(main):006:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘demouser',action: scannerOpen, tableName:my_ns1:my_table, family:fam.

Here is some help for this command:

2372-screen-shot-2016-02-24-at-72100-am.png

6,028 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎02-24-2016 08:47 PM

@Neeraj Sabharwal awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

6,028 Views

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎02-24-2016 08:48 PM

I'm going to take a try on my sandbox... will post what I find.

6,028 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-24-2016 11:26 PM

@Sunile Manjee Did you see the link that I shared and extra information added in my reply?

I mentioned "See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks."

One of the subtasks is https://issues.apache.org/jira/browse/RANGER-228

6,028 Views
0 Kudos

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎02-24-2016 09:40 PM

@Neeraj Sabharwal @Artem Ervits

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.

6,871 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements