- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell
Created 03-07-2017 05:22 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently in the process of trying to encrypt data in HBase by creating an HDFS encryption zone for the /apps/hbase directory as stated here:
I was able to successfully make the zone and I can access files in it (via HDFS) with my designated user "hbase", which I added a policy for in Ranger. However, if I create a random user "myuser" and access the hbase tables via hbase shell, I can see all of the data. If I try to access the data via HDFS I cannot access the files.
Why can the user without access to the encrypted key see the data (unencrypted) in HBase via hbase shell?
Thanks.
HDP 2.4
Created 03-07-2017 06:00 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.
One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.
The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.
Created 03-07-2017 06:00 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.
One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.
The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.
Created 03-08-2017 03:57 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood, thanks. I guess I was confusing authorization with information hiding. Authorization still needs to be put in place on HBase to completely block unauthorized user access to data if the hbase user has access at the HDFS level.
Created 03-08-2017 05:41 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly! You got it now 🙂
Created 02-14-2018 09:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if some one wants to block others users in hbase shell also how can he do that.
I am facing same issue from apps/hbase/data my user is not able to decrypt file but can read table data in hbase shell.
Created 02-14-2018 10:00 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i.e i want my other user to have access to hbase(to configure in ranger) but not having acess to decrypt (configure in ranger kms).so while acesing thorugh hbase with that user i should get an error msg that user is not able to decrypt.
Created 02-14-2018 03:24 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please ask your own question.