Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

avatar
author-rank damonj74
Explorer

Created ‎03-07-2017 05:22 AM

I am currently in the process of trying to encrypt data in HBase by creating an HDFS encryption zone for the /apps/hbase directory as stated here:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/hbase-with-hdfs-e...

I was able to successfully make the zone and I can access files in it (via HDFS) with my designated user "hbase", which I added a policy for in Ranger. However, if I create a random user "myuser" and access the hbase tables via hbase shell, I can see all of the data. If I try to access the data via HDFS I cannot access the files.

Why can the user without access to the encrypted key see the data (unencrypted) in HBase via hbase shell?

Thanks.

HDP 2.4

2,306 Views
1 ACCEPTED SOLUTION

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-07-2017 06:00 PM

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

View solution in original post

2,082 Views
6 REPLIES 6

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-07-2017 06:00 PM

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

2,083 Views

avatar
author-rank damonj74
Explorer

Created ‎03-08-2017 03:57 AM

Understood, thanks. I guess I was confusing authorization with information hiding. Authorization still needs to be put in place on HBase to completely block unauthorized user access to data if the hbase user has access at the HDFS level.

2,082 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎03-08-2017 05:41 PM

Exactly! You got it now 🙂

2,082 Views
0 Kudos

avatar
author-rank soumya_swain2
Contributor

Created ‎02-14-2018 09:52 AM

if some one wants to block others users in hbase shell also how can he do that.
I am facing same issue from apps/hbase/data my user is not able to decrypt file but can read table data in hbase shell.

2,082 Views
0 Kudos

avatar
author-rank soumya_swain2
Contributor

Created ‎02-14-2018 10:00 AM

i.e i want my other user to have access to hbase(to configure in ranger) but not having acess to decrypt (configure in ranger kms).so while acesing thorugh hbase with that user i should get an error msg that user is not able to decrypt.

2,082 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎02-14-2018 03:24 PM

Please ask your own question.

2,082 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements