Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Solved Go to solution
Highlighted

After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Explorer

I am currently in the process of trying to encrypt data in HBase by creating an HDFS encryption zone for the /apps/hbase directory as stated here:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/hbase-with-hdfs-e...

I was able to successfully make the zone and I can access files in it (via HDFS) with my designated user "hbase", which I added a policy for in Ranger. However, if I create a random user "myuser" and access the hbase tables via hbase shell, I can see all of the data. If I try to access the data via HDFS I cannot access the files.

Why can the user without access to the encrypted key see the data (unencrypted) in HBase via hbase shell?

Thanks.

HDP 2.4

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

View solution in original post

6 REPLIES 6
Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Remember that HBase is ultimately handling the access to HDFS for the HBase API calls that you make.

One simple example of this is that even though you may issue a request to read a record from a table, the files in HDFS are owned by "hbase" and your user would be unable to read them directly.

The same extends to the encryption zones. HBase is capable of reading the data, but your user isn't. You can still read the data in HBase as that user as HBase is only enforcing authorization of your user's request into HBase. Your user isn't directly reading the data.

View solution in original post

Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Explorer

Understood, thanks. I guess I was confusing authorization with information hiding. Authorization still needs to be put in place on HBase to completely block unauthorized user access to data if the hbase user has access at the HDFS level.

Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Exactly! You got it now :)

Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

if some one wants to block others users in hbase shell also how can he do that.
I am facing same issue from apps/hbase/data my user is not able to decrypt file but can read table data in hbase shell.

Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

i.e i want my other user to have access to hbase(to configure in ranger) but not having acess to decrypt (configure in ranger kms).so while acesing thorugh hbase with that user i should get an error msg that user is not able to decrypt.

Highlighted

Re: After creating an encryption zone for HBase, I can still access content with non-authorized users using hbase shell

Please ask your own question.

Don't have an account?
Coming from Hortonworks? Activate your account here