Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

kerberized HDP 2.4 - Hbase user not able to access table

avatar
author-rank karan_alang1
Expert Contributor

Created ‎01-31-2017 08:37 PM

screen-shot-2017-01-31-at-123441-pm.png

screen-shot-2017-01-31-at-123417-pm.png

hi All - i've a kerberized HDP 2.4 cluster, and i'm facing issue wherein user - hbase_user1 created is not able to 'see' the table, though access is provided to the user.

Here is what is done ->

1) User - logging in as user 'hbase_user1' to cluster

2) generated a valid kerberos ticket

[hbase_user1@sandbox ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1029 Default principal: hbase_user1@EXAMPLE.COM

Valid starting Expires Service principal 01/31/17 19:11:24 02/01/17 19:11:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 01/31/17 19:11:24

3) launch 'hbase shell' and fire command -> list

4) contents of log file shows that authorization for hbase_user1 is successful ->

----------------------------------------------------------------------------------------------------------------

tail -f /var/log/hbase/SecurityAuth.audit 2017-01-31 20:04:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:09:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35593 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:14:39,192 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39743 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface 2017-01-31 20:14:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35679 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:16:24,955 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:16:24,956 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39773 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:16:24,957 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface

-----------------------------------------------------------------------------------------------

However, the user is not able to see any of the tables. Attaching the screenshot of Ranger policies - Global access to HBase tables is blocked, while access is provided to tabe iemployee to user - hbase_user1.

Also, pls note : service user - hbase is able to access all hbase tables

What needs to be done to fix this access issue for user -> hbase_user1 ?

Any pointers on this would be appreciated.

3,183 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 12:12 AM

Login with HBase user and grant access to hbase_user1 on the table

grant 'user', 'RWXCA', 'TABLE', 'CF', 'CQ'

https://hbase.apache.org/book.html#hbase.accesscontrol.configuration

You can review the following tutorial as well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/

View solution in original post

2,858 Views
0 Kudos
5 REPLIES 5

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 12:12 AM

Login with HBase user and grant access to hbase_user1 on the table

grant 'user', 'RWXCA', 'TABLE', 'CF', 'CQ'

https://hbase.apache.org/book.html#hbase.accesscontrol.configuration

You can review the following tutorial as well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/

2,859 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎02-01-2017 01:50 AM

@Artem Ervits -

thanks, granting access to the user - hbase_user1 actually worked.

However, i'd already given access to the table using Apache Ranger. Shouldn't that have worked ?

What needs to be done to check/ensuure the Ranger integration with Hbase to control access ?

A few more details -

Actually, when i check the Ranger audit logs - the user 'hbase_user1' appears only till December 2nd, 2017 - screenshot

screen-shot-2017-01-31-at-60941-pm.png

This setup was created in Nov, and was working when i checked last year,

Attaching screenshots of the ranger policies. - global access to hbase is removed, and access to table - 'iemployee' is provided to user - hbase_user1.

screen-shot-2017-01-31-at-51919-pm.png

screen-shot-2017-01-31-at-51817-pm.png

2,858 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 01:57 AM

@Karan Alang you need to disable global allow policy and grant permissions per table, please review the section on hbase in our tutorial, it explains it well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/#hbase-grant-re...

if any of the answers helped, please close the thread by accepting best answer.

2,858 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎02-01-2017 07:21 AM

@Artem Ervits - wrt. your previous comment, i've done exactly that (pls see my comments above & also the screenshots attached in my previous comment)

i.e. 1) Disabled Global access to Hbase table

2) Given access to user - hbase_user1 to scan table 'iemployee'

This is done using Apache Ranger, for some reason the Ranger permissions are not being enforced.

Any ideas ?

When i provided the permissions on command-line, i was able to enforce permissions !

2,858 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 02:13 PM

@Karan Alang you still need to provide explicit policy even though ranger for hbase is enabled, once you run explicit grant/revoke, it will be propogated to Ranger. Please see our doc http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html all make sure your hbase service is configured correctly http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html

also double check ranger hbase plugin settings http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/hbase_plugin_kerberos.ht...

2,858 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements