Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

avatar
Explorer

I am currently in the process of trying to encrypt data in HBase by creating an HDFS encryption zone for the /apps/hbase directory as stated here:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/hbase-with-hdfs-e...

I was able to successfully make the zone and I can access files in it (via HDFS) with my designated user "hbase", which I added a policy for in Ranger. However, if I create a random user "myuser" and access the hbase tables via hbase shell, I can see all of the data. If I try to access the data via HDFS I cannot access the files.

Why can the user without access to the encrypted key see the data (unencrypted) in HBase via hbase shell?

Thanks.

HDP 2.4

1 ACCEPTED SOLUTION

avatar
Super Guru

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

View solution in original post

6 REPLIES 6

avatar
Super Guru

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

avatar
Explorer

Understood, thanks. I guess I was confusing authorization with information hiding. Authorization still needs to be put in place on HBase to completely block unauthorized user access to data if the hbase user has access at the HDFS level.

avatar
Super Guru

Exactly! You got it now 🙂

avatar
Contributor

if some one wants to block others users in hbase shell also how can he do that.
I am facing same issue from apps/hbase/data my user is not able to decrypt file but can read table data in hbase shell.

avatar
Contributor

i.e i want my other user to have access to hbase(to configure in ranger) but not having acess to decrypt (configure in ranger kms).so while acesing thorugh hbase with that user i should get an error msg that user is not able to decrypt.

avatar
Super Guru

Please ask your own question.