Support Questions

Find answers, ask questions, and share your expertise

HBase simple authorization group permissions not working

avatar
New Contributor

Hi, I am running a simple Training cluster (non kerberized) on CDH 5.14.4. I was asked to enable HBase simple authorization just to prevent users accidently overwriting with each others HBase tables. However I've found that after enabling hbase simple authorization following the guide: https://www.cloudera.com/documentation/enterprise/5-14-x/topics/cdh_sg_hbase_authorization.html . and attempting to add some group permissions that I still get access denied errors even though the group exists locally on the active namenode and the group appears to be mapped correctly (appears in whoami as user)

 

eg.

 

on the active namenode:

> id user1

uid=10099(user1) gid=10099(user1) groups=10000(admin),10099(user1)

> sudo -u hbase hbase shell

hbase(main):001:0> user_permission

@admin               hbase,hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]

hbase(main):001:0> exit

(as user1) > hbase shell

hbase(main):001:0> whoami

user1 (auth:SIMPLE)
    groups: user1, admin

hbase(main):001:0> user_permission

User                  Namespace,Table,Family,Qualifier:Permission

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN)
        at org.apache.hadoop.hbase.security.access.AccessController.requireGlobalPermission(AccessController.java:546)
        at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:522)
        at org.apache.hadoop.hbase.security.access.AccessController.getUserPermissions(AccessController.java:2335)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.getUserPermissions(AccessControlProtos.java:9949)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10107)
        at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:7996)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:1986)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:1968)
        at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:33652)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2191)
        at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:112)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:183)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$Handler.run(RpcExecutor.java:163)

 

 

1 ACCEPTED SOLUTION

avatar
Mentor
HBase authz will not consult NameNode for groups but rather will check it
local to each serving RegionServer handling the request.

Ensure your Linux user and groups are consistent across _all_ cluster hosts
for a predicable result with any authorization feature.

View solution in original post

2 REPLIES 2

avatar
Mentor
HBase authz will not consult NameNode for groups but rather will check it
local to each serving RegionServer handling the request.

Ensure your Linux user and groups are consistent across _all_ cluster hosts
for a predicable result with any authorization feature.

avatar
New Contributor

That worked, thanks very much.

 

I'd missed this difference between HBase and HDFS.