Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Cloudera Manager Hbase Visibility Labels

avatar
author-rank flint172
Contributor

Created on ‎02-23-2017 08:41 AM - edited ‎09-16-2022 04:08 AM

hello,

 

I am trying to get my CDH 5.9 installation of Hbase working with visibility labels enabled through Cloudera Manager. In the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" I have set:

  • hfile.format.version to 3
  • hbase.coprocessor.region.classes to org.apache.hadoop.hbase.security.visibility.VisibilityController
  • hbase.coprocessor.master.classes to org.apache.hadoop.hbase.security.visibility.VisibilityController

After restart, I log in to the Hbase shell and try to "add_labels ['TESTLABEL'] and I am getting the error:

 

ERROR: DISABLED: Visibility labels feature is not available

 

Probably something simple that I am missing, but any ideas would be appreciated.

 

5,844 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
Clifford author-rank
Cloudera Employee

Created ‎04-26-2017 01:37 PM

 

For people using Cloudera Manager 5.7+ it also requires adding the following (4th parameter) to the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" in order to enable visibility labels:

<property>

<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

So the full list of parameters to enter into the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" when using Cloudera Manager 5.7+ is as follows:

<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

 

Customer Operations Engineer

View solution in original post

5,502 Views
0
5 REPLIES 5

avatar
author-rank ben.hemphill
Master Collaborator

Created ‎02-23-2017 01:10 PM

Immediately what comes to mind is that there are many safety valves at different scopes of the hbase service.

hbase.coprocessor.region.classes would be scoped to the regionserver safety valve, hbase.coprocessor.master.classes would be scoped to the master safety valve, etc.

 

additionally you can typically get away with putting things in the service wide safety valve since regionserver won't throw any errors on having hmaster specific config and vice versa. There are obviously cases where you want the same config item to be different for the different services.

 

you may already know this, but here is the cloudera article on setting this up:

https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cdh_ig_hbase_new_features_and_changes...

5,826 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎02-24-2017 01:32 AM

What Ben said.

To be more specific, duplicate your config of "hfile.format.version" also into the field called "HBase Client Advanced Configuration Snippet (Safety Valve) for hbase-site.xml".

The HBase shell's labels related functions look for this value in the client configuration as a pre-check guard before they can be used.
5,799 Views
0 Kudos

avatar
author-rank flint172
Contributor

Created ‎03-09-2017 06:50 AM

No joy...I still get this when I do list_labels:

 

ERROR: DISABLED: Visibility labels feature is not available

 

Still searching for a (definitive) configuration through Cloudera Manager that will actually turn on visibility labels in HBASE.

5,734 Views

avatar
Clifford author-rank
Cloudera Employee

Created ‎04-26-2017 01:37 PM

 

For people using Cloudera Manager 5.7+ it also requires adding the following (4th parameter) to the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" in order to enable visibility labels:

<property>

<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

So the full list of parameters to enter into the "HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml" when using Cloudera Manager 5.7+ is as follows:

<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hfile.format.version</name>
<value>3</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>

 

 

Customer Operations Engineer

5,503 Views
0

avatar
author-rank flint172
Contributor

Created ‎04-26-2017 09:26 PM

Confirmed....thanks for this.
5,492 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements