I'm trying to set up the ACLs for HBase now that we have enabled secure authentication. I'm using the HBase shell, but I don't have permissions to grant anything:
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=<redacted>, scope=GLOBAL, action=ADMIN)
I have added my user name to the "HBase Superuser" setting under configuration and re-deployed the service, but the error persists.
Thank you for confirming the details,
Does the subject part of your klist output match the added username in the HBase Superusers configuration precisely?
If your user is in a different realm than the cluster services, is the realm name present as part of HDFS -> Configuration -> 'Trusted Realms'?
Are all commands done as the superuser failing? What HBase shell command/operation specifically is leading to your quoted error?
As to adding groups, it can be done in the same field, except you need to add an '@' prefix to the name. For ex. if your group is cluster_administrators, then add it in as '@cluster_administrators' in the HBase Superusers config. When using usernames, the @ must not be specified. Both approaches should work though.
P.s. If you'll be relying on groups, ensure all cluster hosts return consistent group lookup output for id <user> commands, as the authorization check is distributed across the cluster roles for HBase.