Instaling CDH5.4 with kerberos security gives me the opportunity to make grants to namespaces etc, but I want to enable visibility labels as well, which seem to be disabled by default.
Cloudera documentation only tells me this feature is experimental, but not how to enable it. Apache Book shows to add the proper coprocessors, but it also mentions the proper order of the coprocessors.
..I tried adding "org.apache.hadoop.hbase.security.visibility.VisibilityController" via the cloudera manager, but when reviewing the config changes, I see that the order is not correct, it's adding the Visibility Label in from of the (apparantly default AccessControler and TokenProvider, which is the incorrect order.
Any other way to enable this feature or to maintain the proper order?
To be complete, yes you need to use the safety valves to get the correct order of the coprocessors. You also need to set the HFile version to 3, else Hbase won't start with these coprocessors. I find this last one odd, because Hbase 1.0 should use 3 by default, as per the docs.
Anyway, use the hbase documentation sample config as a sample of which setting you need where. http://archive.cloudera.com/cdh5/cdh/5/hbase-1.0.0-cdh5.4.0/book.html#security.example.config
@Harsh J wrote:
Thanks for closing the loop! We do not activate v3 HFiles in CDH5.4 to avoid breaking compatibility/adding additional work for users upgrading from an earlier CDH5 release: https://github.com/cloudera/hbase/commit/c9eb03bbf2c54b8e502feef89a59484bad987ff8
Thanks for your response. I've only defined the VisibilityController as a coprocessor in my hbase-site.xml, so the ordering is not an issue for me. Yet the visibility label feature is still disabled for me. Anything else you can suggest for me to try? I have set the hfile.format.version property to 3 as well. I don't have the hbase.superuser property defined. I will try setting it but don't know what else I can try.