Reply
New Contributor
Posts: 5
Registered: ‎06-23-2015
Accepted Solution

Unable to disable/drop an HBase table after enabling Kerberos

I recently enabled Kerberos on a test cluster, and it looks like HBase thinks I am a different user than I was before Kerberos was enabled. 

Before enabling Kerberos, I created a lot of tables in HBase using a user called "ace".

After enabling Kerberos, I am not able to disable/drop those tables. 

HBase complains user "ace/jumphost@LOCALDOMAIN" has insufficient permissions:

 

disable 'dailybenchmarkResults'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=ace/jumphost@LOCALDOMAIN, scope=dailybenchmarkResults, family=, action=CREATE)
 

What is interesting is when I try to recreate the table, I do not get a "table already exists" or similar error as expected.  I get:

 

create  'dailybenchmarkResults',{NAME =>   'benchmarkResults', COMPRESSION =>   'SNAPPY'}

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'ace' (global, action=CREATE)

 

In this case, it seems HBase thinks I am the user 'ace'.

 

 

This is my first dive into Kerberos, so I'm probably missing something simple. 

I have been unable to find any web pages that sound similar to the issue I am experiencing. 

I have Kerberos configured correctly to access the HDFS file system with the hdfs command set. 

I have read files from and written files to HDFS.

 

I am using Cloudera Manager 5.3.0 on CentOS 6.5 with a total of 6 nodes - 3 DN, 2 NN, and my "jumphost" which is the HBase master and where the Clouders services reside, as well as where I issued my "disable" commands from.

 

My Kerberos version is from CentOS "krb5-server-1.10.3-10".  I believe this is MIT Kerberos.

 

Please do not tell me to "Upgrade my version of Cloudera Manager" without first pointing me to a bug report/change log that shows what I am experiencing was a bug and has been fixed.

 

In summary:

I have an existing cluster under which I created several tables.

After enabling Kerberos, I am unable to disable/drop the table, even though my login user name has not changed.

 

Thanks.

 

- Shawn S

 

Posts: 1,885
Kudos: 424
Solutions: 298
Registered: ‎07-31-2013

Re: Unable to disable/drop an HBase table after enabling Kerberos

There's two factors to consider here: Authentication and Authorisation. You've enabled both for HBase. You can disable the latter if you do not need it.

If you do need authorisation, then you need to configure it as out of the box there's no rules except 'administrative' rights for the 'hbase' login user. To read more on configuring your authorisation rules via the grant/revoke commands, read http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_sg_hbase_authorizat...
New Contributor
Posts: 5
Registered: ‎06-23-2015

Re: Unable to disable/drop an HBase table after enabling Kerberos

Thank you for the quick response. I disabled authorization as per the link you sent me to. After the config update I was able to disable/drop/recreate the table as I had before Kerberos.

- Shawn S
Highlighted
Posts: 1,885
Kudos: 424
Solutions: 298
Registered: ‎07-31-2013

Re: Unable to disable/drop an HBase table after enabling Kerberos

Glad to hear - thanks for closing the loop!
Announcements