Reply
Explorer
Posts: 14
Registered: ‎06-16-2016

hbase active directory groups permissions not working

This is on CDH 5.7.1

Running Cloudera on Linux, configured cluster with Kerberos

All services running fine, but I have an issue with permissions in Hbase

 

Active Directory group configured, e.g. AD_HBASE

User user1 created in AD, it's part of the AD-HBASE group

On Linux, user1 also exists, got a Kerberos ticket.

 

On Hbase created a namespace ns1 and granted full access on ns1 to AD group AD_HBASE

grant '@AD-HBASE','RWC', '@ns1'

 

starting hbase shell with jaas.conf options set

export HBASE_OPTS="$HBASE_OPTS -Djava.security.auth.login.config=./zk-jaas.conf"

export HBASE_MANAGES_ZK=false

starting hbase shell as user user1

but when I try to create a table in ns1 getting a permission denied error:

 

hbase(main):001:0> create 'ns1:t1', {NAME => 'f1', VERSIONS => 5}

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=user1@MYDOMAIN.COM, scope=ns1, params=[na=ns1,table=ns1:t1,family=f1],action=CREATE)

 

I assume that I can grant access directly to user1, but really like to use the AD group structure to avoid too many individual grants. Any suggestions what I'm doing wrong or how I can debug this issue?

 

thanks!

 

(all names/groups etc. are masked with dummy values)

Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: hbase active directory groups permissions not working

What is the output of id <username> on the node your launched the shell and the HBase RS servers?

Even with Kerberos, Hadoop still uses the shell based group lookup. So if the group doesn't exist on the nodes or the local user doesn't belong to the group it will not be recognized.
Explorer
Posts: 14
Registered: ‎06-16-2016

Re: hbase active directory groups permissions not working

thanks for the feedback

 

The permission is granted to an Active Directory group, not to a Unix group

So does that mean that Hbase doesn't support authorization via Active Directory groups at all?

Highlighted
Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: hbase active directory groups permissions not working

HBase is accessing HDFS underneath. HDFS, by default, uses the ShellBasedUnixGroupsMapping, which means it check the local OS on the Active Namenode for the users' group membership. There is a LdapGroupsMapping within HDFS but Cloudera and other do not recommended. The general approach is to mimic the users and groups on the local OS or configure LDAP integration at the OS level as well as Kerberos.

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cm_sg_ldap_grp_mappings.html
Announcements