Support Questions
Find answers, ask questions, and share your expertise

HDP2.4 - HBase permissions using Ranger not working

Expert Contributor
screen-shot-2017-01-29-at-101055-pm.png

screen-shot-2017-01-29-at-101120-pm.png

screen-shot-2017-01-29-at-101203-pm.png

screen-shot-2017-01-29-at-101319-pm.png

Hi All - i've a kerberized HDP 2.4 cluster, and i've setup permissions for HBase using Ranger.

I've created users - hbase_user1 and given them permission to table - 'iemployee'

Aso, i've disabled Hbase Global access to Hbase tables using Ranger.

However, on Hbase shell - when i try to list the HBase tables using hbase_user1, I'm not able to see any tables.

When i launch HBase Shell using user root, i'm able to see all the tables & also scan table - 'iemployee'

Any ideas what needs to be done, this was working earlier.

Attaching screenshots of Ranger policies & terminal windows.


screen-shot-2017-01-29-at-101120-pm.png
11 REPLIES 11

Expert Contributor

@mqureshi, @Neeraj Sabharwal - any ideas on this ?

Super Guru
@Karan Alang

Do you do a kinit when you log in as "hbase_user1"? If not, you have to do that. Authentication before Authorization.

Expert Contributor

@mqureshi - yes, kinit is done for both users, pls. see attched screenshots.

screen-shot-2017-01-29-at-103823-pm.png

screen-shot-2017-01-29-at-103842-pm.png

Super Guru

@Karan Alang

I think I know what's going on here. If you look at your root user, you actually kinit with user hbase. In case of user "hbase_user1", you kinit with "hbase_user1". you probably have following settings in your hbase-site.xml

  1. <property>
      <name>hbase.regionserver.kerberos.principal</name> 
      <value>hbase/_HOST@YOUR-REALM.COM</value> 
    </property> 
    
    <property> 
      <name>hbase.regionserver.keytab.file</name> 
      <value>/etc/hbase/conf/hbase.keytab</value> 
    </property>
    
    <property> 
      <name>hbase.master.kerberos.principal</name> 
      <value>hbase/_HOST@YOUR-REALM.COM</value> 
    </property> 
    
    <property> 
    <name>hbase.master.keytab.file</name> 
    <value>/etc/hbase/conf/hbase.keytab</value> 
    </property>

and in your core-site.xml you probably have the following:

<property>
     <name>hadoop.proxyuser.hbase.hosts</name>
     <value>*</value>
   </property>
   <property>
     <name>hadoop.proxyuser.hbase.groups</name>
     <value>*</value>
   </property>

This means user hbase can impersonate other users. So when you are logging in as root, you actually kinit using hbase and since hbase can impersonate anyone, your root works. but when you login as hbase_user1, you also kinit using user hbase_user1 and since hbase_user1 has not setting in core-site.xml (or hbase-site.xml), it doesn't really work.

also, please if you have a follow up comment or question, just add to this answer. Please don't create a new answer for your comment or followup question.

Expert Contributor

@mqureshi - this was actually Working earlier (i'd set this couple of months back), and i don't remember making any changes so am surprised this has stopped working.

Attaching core-site.xml & hbase-site.xml, the settings are similar to what you mentioned.

Any ideas on what needs to be done to enable this ? How do i debug this ?

core-sitexml.txt

hbase-sitexml.txt

Super Guru

@Karan Alang

I don't think it was working the way you think it was working. I think it was working when you login to your linux box as "hbase_user1" and then kinit using "hbase@EXAMPLE.COM" and then it probably worked. It should still work that way. you should look at the following. Depending on your client being thrift or REST, you need to set appropriate properties as specified in this link.

http://hbase.apache.org/0.94/book/security.html

Do the following in your hbase-site.xml:

<property>
  <name>hbase.security.authorization</name>
  <value>true</value>
</property>
<property>
  <name>hadoop.proxyuser.hbase_user1.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.hbase_user1.hosts</name>
  <value>*</value>
</property>

Expert Contributor

@mqureshi - i'll check details on this .

Also, pls see my response to vperiasamy's note, that was the other thing that i noticed.

i'm not seeing the access requests for hbase_user1 (screenshot attached)

screen-shot-2017-01-30-at-111935-am.png

Also, since i've blocked Global access to HBase tables, i think even user - hbase should not be able to access the table.

Any ideas/comments ?

Super Guru

@Karan Alang

According to following property in your hbase-site.xml, hbase is your super user. You cannot block it.

 <property>
      <name>hbase.superuser</name>
      <value>hbase</value>
    </property>

Do you see any audit log for the failure?