Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement

HBase Snapshotting Failed because of Failure to aquire SAS Token

avatar
author-rank MintberryCrunch
Frequent Visitor

Created ‎01-21-2026 01:43 AM

Hello,

<in a Public Cloud Environment in the Operational Database with Azure: Snapshots were failing.
The HBase-Service Command Tab showes that it occurs while copying a snapshot to another directory because it could not acquire a SAS token. (*)
Usually those errors are related to missing rights on Managed Identities. 
- But we double-checked all Azure Managed Identity IAMs and RBACs.
Sometimes the SAS-Token Failure is related to Kerberos which is disabled./>

What could have gone wrong? 


(*):
Client.RangerRESTClient: ===>> RangerRESTClient.init() : Since mKeyStoreType is NULL, setting System default.

[mKeyStoreType=jks] Exception in thread "main" Failed to acquire a SAS token for get-acl on / due to org.apache.hadoop.security.AccessControlException: Permission denied. at org.apache.hadoop.fs.azurebfs.services.AbfsClient.appendSASTokenToQuery(AbfsClient.java:1233)

86 Views
0 Kudos
2 REPLIES 2

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎01-21-2026 09:21 PM

@MintberryCrunch, Welcome to our community! To help you get the best possible answer, I have tagged in our HBase/CM experts @9een @rki_ @SVB  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
58 Views
0 Kudos

avatar
author-rank 9een author-rank
Expert Contributor

Created on ‎01-22-2026 11:21 PM - edited ‎01-23-2026 06:32 AM

@MintberryCrunch FYI

➤ In a Public Cloud Environment using Azure Operational Database (HBase), snapshot copy failures with a Permission denied error while acquiring a SAS token for get-acl on / typically stem from missing Access Control List (ACL) permissions on the root of the storage container, even if Azure Role-Based Access Control (RBAC) roles are correctly assigned.

➤ The AccessControlException at the root directory (/) indicates the driver is attempting to validate permissions at the top level before proceeding with the operation.


➤ Recommended Troubleshooting Steps
1. Grant the "Storage Blob Delegator" Role: Add this role to the Managed Identity used by the HBase service to ensure it can generate User Delegation SAS tokens.

2. Inspect ACLs via Storage Explorer: Use Azure Storage Explorer to right-click the root of the container and select Manage ACLs. Confirm the identity has at least Execute permissions.

3. Verify Firewall Settings: Confirm that "Allow trusted Microsoft services to access this storage account" is enabled in the Storage Account's Networking tab.

4. Check for Sticky Bits: Use the Azure CLI command az storage fs access show to see if the sticky bit is enabled on the target path.

 

34 Views
0 Kudos
Announcements
Community Announcements
December 2025 Community Highlights
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements