03-13-2019 01:09 PM
I'm trying to set up the ACLs for HBase now that we have enabled secure authentication. I'm using the HBase shell, but I don't have permissions to grant anything:
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=<redacted>, scope=GLOBAL, action=ADMIN)
I have added my user name to the "HBase Superuser" setting under configuration and re-deployed the service, but the error persists.
03-13-2019 06:46 PM
03-14-2019 03:35 AM
03-14-2019 04:52 AM
03-17-2019 06:49 PM - edited 03-18-2019 03:27 AM
Thank you for confirming the details,
Does the subject part of your klist output match the added username in the HBase Superusers configuration precisely?
If your user is in a different realm than the cluster services, is the realm name present as part of HDFS -> Configuration -> 'Trusted Realms'?
Are all commands done as the superuser failing? What HBase shell command/operation specifically is leading to your quoted error?
As to adding groups, it can be done in the same field, except you need to add an '@' prefix to the name. For ex. if your group is cluster_administrators, then add it in as '@cluster_administrators' in the HBase Superusers config. When using usernames, the @ must not be specified. Both approaches should work though.
P.s. If you'll be relying on groups, ensure all cluster hosts return consistent group lookup output for id <user> commands, as the authorization check is distributed across the cluster roles for HBase.
03-20-2019 07:38 AM
03-20-2019 09:01 AM