Re: Hi,Cell level security in HBase 0.98

manwarul · ‎04-13-2015

Hi

I am using Cloudera quickstart VM which has HBase version 0.98.6 and CDH 5.3. I want to implement cell level security in HBase. Table description is as follows

hbase(main):005:0> describe 'Employee'
DESCRIPTION ENABLED
'Employee', {NAME => 'edu', DATA_BLOCK_ENCODING => 'FAST_DIFF', BLOOMFILTER => 'NONE', REPLICATION_SCOPE => true
'0', VERSIONS => '100', COMPRESSION => 'SNAPPY', MIN_VERSIONS => '0', TTL => 'FOREVER', KEEP_DELETED_CELLS
=> 'false', BLOCKSIZE => '65536', IN_MEMORY => 'false', BLOCKCACHE => 'false'}, {NAME => 'exp', DATA_BLOCK
_ENCODING => 'FAST_DIFF', BLOOMFILTER => 'NONE', REPLICATION_SCOPE => '0', VERSIONS => '100', COMPRESSION =
> 'SNAPPY', MIN_VERSIONS => '0', TTL => 'FOREVER', KEEP_DELETED_CELLS => 'false', BLOCKSIZE => '65536', IN_
MEMORY => 'false', BLOCKCACHE => 'false'}, {NAME => 'pd', DATA_BLOCK_ENCODING => 'FAST_DIFF', BLOOMFILTER =
> 'NONE', REPLICATION_SCOPE => '0', VERSIONS => '100', COMPRESSION => 'SNAPPY', MIN_VERSIONS => '0', TTL =>
'FOREVER', KEEP_DELETED_CELLS => 'false', BLOCKSIZE => '65536', IN_MEMORY => 'false', BLOCKCACHE => 'false
'}

I have made changes in hbase-site.xml as follows

<name>hfile.format.version</name>

</property>

I run the following command in hbase shell

grant 'Employee', \
{ 'manwarul' => 'RW' }, \
{ COLUMNS => 'pd', FILTER => "(PrefixFilter ('T'))" }

manwarul is user name

it gives the following error

ERROR: Failed 1 action: org.apache.hadoop.hbase.DoNotRetryIOException: Cell ACLs cannot be persisted
at org.apache.hadoop.hbase.security.access.AccessController.prePut(AccessController.java:1373)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:787)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1517)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1592)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1549)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.prePut(RegionCoprocessorHost.java:783)
at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:2282)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2257)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2213)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2217)
at org.apache.hadoop.hbase.regionserver.HRegionServer.doBatchOp(HRegionServer.java:4406)
at org.apache.hadoop.hbase.regionserver.HRegionServer.doNonAtomicRegionMutation(HRegionServer.java:3608)
at org.apache.hadoop.hbase.regionserver.HRegionServer.multi(HRegionServer.java:3496)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29931)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2031)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108)
at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:116)
at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:96)
at java.lang.Thread.run(Thread.java:745)
: 1 time,

Please help me to reolve this issue.

Thanks

Manwarul

manwarul · ‎05-11-2015

I have resolved the issue "Cell ACLs cannot be persisted". But when i looged in hbase shell as user manwarul and I try to scan 'Employee' table. it is giving ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions.

Please help me to resolve this issue.

jmspaggi · ‎05-11-2015

Hi,

You need more than just that.

Please avec a look there: https://hbase.apache.org/book.html#security.example.config

If you are using CM, some of those settups might be available through the interface.

JM

manwarul · ‎05-14-2015

Hi JMS,

Thanks for reply.

I have configured hbase-site.xml as follows

<property>
<name>hfile.format.version</name>
<value>3</value>
</property>

<property>
<name>hbase.superuser</name>
<value>hbase, admin</value>
</property>

<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController,
org.apache.hadoop.hbase.security.visibility.VisibilityController,
org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController,
org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
<name>hbase.coprocessor.regionserver.classes</name>
<value>org.apache.hadoop/hbase.security.access.AccessController,
org.apache.hadoop.hbase.security.access.VisibilityController</value>
</property>

<property>
<name>hbase.security.exec.permission.checks</name>
<value>true</value>
</property>

<property>
<name>hbase.security.visibility.mutations.checkauth</name>
<value>false</value>
</property>

<property>
<name>hbase.rpc.protection</name>
<value>auth-conf</value>
</property>

<property>
<name>hbase.crypto.keyprovider</name>
<value>org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider</value>
</property>
<property>
<name>hbase.client.crypto.keyprovider.parameters</name>
<value><![CDATA[keyStoreUrl=file:///etc/hbase/conf.cloudera.hbase/keystore.jks&keyStoreType=JCEKS&password=123456]]></value>
</property>
<property>
<name>hbase.crypto.master.key.name</name>
<value>hbase</value>
</property>

<property>
<name>hbase.regionserver.hlog.reader.impl</name>
<value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader</value>
</property>
<property>
<name>hbase.regionserver.hlog.writer.impl</name>
<value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter</value>
</property>
<property>
<name>hbase.regionserver.wal.encryption</name>
<value>true</value>
</property>

<property>
<name>hbase.crypto.master.alternate.key.name</name>
<value>hbase.old</value>
</property>

<property>
<name>hbase.bulkload.staging.dir</name>
<value>/tmp/hbase-staging</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,
org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property>

---------------------------------------------------------------------------------------------------------------------------------------

Still when i logged in hbase shell as user manwarul and I try to scan 'Employee' table. it is giving ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions.

Please help me to resolve this issue.

Thanks

Manwarul

jmspaggi · ‎05-14-2015

This is expected, right?

You havec activated the security, but have you given the rights to your user to scan this table?

If you activate security, by default, no-one as any right. So you might want to grant the rights to the correct users using an Admin user?

JMS

manwarul · ‎05-14-2015

Hi JMS,

I have done all settings as I described in above thread and also I have given permission by following command in shell

grant 'Employee', { 'manwarul' => 'R' }, { COLUMNS => 'pd', FILTER => "(PrefixFilter ('T'))" }.

But when I logged in as user manwarul in shell it is giving AccessDenied error.

Thanks

Manwarul

jmspaggi · ‎05-14-2015

Ok. Then give me a bit of time. I will install the same version as you and do the same steps to see if I can reproduce and then figure what it is.

I'm already testing something else right now, so might take a day or 2 to come back to you...

From this thread I see htat you are using CDH 5.3.0. That's the version I will try. Please let me kow if it's not the correct one.

JM

manwarul · ‎05-14-2015

Hi JMS,

Yes, you are correct. I am using CDH 5.3.0.

Thanks

Manwarul