Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hi,Cell level security in HBase 0.98

Hi,Cell level security in HBase 0.98

New Contributor

Hi

 

I am using Cloudera quickstart VM which has HBase version 0.98.6 and CDH 5.3.  I want to implement cell level security in HBase. Table description is as follows 

hbase(main):005:0> describe 'Employee'
DESCRIPTION ENABLED
'Employee', {NAME => 'edu', DATA_BLOCK_ENCODING => 'FAST_DIFF', BLOOMFILTER => 'NONE', REPLICATION_SCOPE => true
'0', VERSIONS => '100', COMPRESSION => 'SNAPPY', MIN_VERSIONS => '0', TTL => 'FOREVER', KEEP_DELETED_CELLS
=> 'false', BLOCKSIZE => '65536', IN_MEMORY => 'false', BLOCKCACHE => 'false'}, {NAME => 'exp', DATA_BLOCK
_ENCODING => 'FAST_DIFF', BLOOMFILTER => 'NONE', REPLICATION_SCOPE => '0', VERSIONS => '100', COMPRESSION =
> 'SNAPPY', MIN_VERSIONS => '0', TTL => 'FOREVER', KEEP_DELETED_CELLS => 'false', BLOCKSIZE => '65536', IN_
MEMORY => 'false', BLOCKCACHE => 'false'}, {NAME => 'pd', DATA_BLOCK_ENCODING => 'FAST_DIFF', BLOOMFILTER =
> 'NONE', REPLICATION_SCOPE => '0', VERSIONS => '100', COMPRESSION => 'SNAPPY', MIN_VERSIONS => '0', TTL =>
'FOREVER', KEEP_DELETED_CELLS => 'false', BLOCKSIZE => '65536', IN_MEMORY => 'false', BLOCKCACHE => 'false
'}

 

I have made changes in hbase-site.xml as follows

<property>

  <name>hfile.format.version</name>

  <value>3</value>

</property>

 

I run the following command in hbase shell 

grant 'Employee', \
{ 'manwarul' => 'RW' }, \
{ COLUMNS => 'pd', FILTER => "(PrefixFilter ('T'))" }

 

manwarul is user name

 

it gives the following error 

 

ERROR: Failed 1 action: org.apache.hadoop.hbase.DoNotRetryIOException: Cell ACLs cannot be persisted
at org.apache.hadoop.hbase.security.access.AccessController.prePut(AccessController.java:1373)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:787)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1517)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1592)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1549)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.prePut(RegionCoprocessorHost.java:783)
at org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook(HRegion.java:2282)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2257)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2213)
at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate(HRegion.java:2217)
at org.apache.hadoop.hbase.regionserver.HRegionServer.doBatchOp(HRegionServer.java:4406)
at org.apache.hadoop.hbase.regionserver.HRegionServer.doNonAtomicRegionMutation(HRegionServer.java:3608)
at org.apache.hadoop.hbase.regionserver.HRegionServer.multi(HRegionServer.java:3496)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29931)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2031)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108)
at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:116)
at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:96)
at java.lang.Thread.run(Thread.java:745)
: 1 time,

 

Please help me to reolve this issue.

 

Thanks

 

Manwarul

7 REPLIES 7

Re: Hi,Cell level security in HBase 0.98

New Contributor

I have resolved the issue "Cell ACLs cannot be persisted". But when i looged in hbase shell as user manwarul and I try to scan 'Employee' table. it is giving ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions.

 

Please help me to resolve this issue.

Re: Hi,Cell level security in HBase 0.98

Contributor

Hi,

 

You need more than just that.

 

Please avec a look there: https://hbase.apache.org/book.html#security.example.config

 

If you are using CM, some of those settups might be available through the interface.

 

JM

Highlighted

Re: Hi,Cell level security in HBase 0.98

New Contributor

Hi JMS,

 

Thanks for reply.

 

I have configured hbase-site.xml as follows

 

<!-- HFile v3 Support -->
<property>
  <name>hfile.format.version</name>
  <value>3</value>
</property>
<!-- HBase Superuser -->
<property>
  <name>hbase.superuser</name>
  <value>hbase, admin</value>
</property>
<!-- Coprocessors for ACLs and Visibility Tags -->
<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.access.AccessController,
  org.apache.hadoop.hbase.security.visibility.VisibilityController,
  org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
  <name>hbase.coprocessor.master.classes</name>
  <value>org.apache.hadoop.hbase.security.access.AccessController,
  org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
</property>
<property>
  <name>hbase.coprocessor.regionserver.classes</name>
  <value>org.apache.hadoop/hbase.security.access.AccessController,
  org.apache.hadoop.hbase.security.access.VisibilityController</value>
</property>
<!-- Executable ACL for Coprocessor Endpoints -->
<property>
  <name>hbase.security.exec.permission.checks</name>
  <value>true</value>
</property>
<!-- Whether a user needs authorization for a visibility tag to set it on a cell -->
<property>
  <name>hbase.security.visibility.mutations.checkauth</name>
  <value>false</value>
</property>
<!-- Secure RPC Transport -->
<property>
  <name>hbase.rpc.protection</name>
  <value>auth-conf</value>
 </property>
 <!-- Transparent Encryption -->
<property>
  <name>hbase.crypto.keyprovider</name>
  <value>org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider</value>
</property>
<property>
 <name>hbase.client.crypto.keyprovider.parameters</name>
 <value><![CDATA[keyStoreUrl=file:///etc/hbase/conf.cloudera.hbase/keystore.jks&keyStoreType=JCEKS&password=123456]]></value>
</property>
<property>
  <name>hbase.crypto.master.key.name</name>
  <value>hbase</value>
</property>
<!-- WAL Encryption -->
<property>
  <name>hbase.regionserver.hlog.reader.impl</name>
  <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader</value>
</property>
<property>
  <name>hbase.regionserver.hlog.writer.impl</name>
  <value>org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter</value>
</property>
<property>
  <name>hbase.regionserver.wal.encryption</name>
  <value>true</value>
</property>
<!-- For key rotation -->
<property>
  <name>hbase.crypto.master.alternate.key.name</name>
  <value>hbase.old</value>
</property>
<!-- Secure Bulk Load -->
<property>
  <name>hbase.bulkload.staging.dir</name>
  <value>/tmp/hbase-staging</value>
</property>
<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.token.TokenProvider,
  org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property>

 

---------------------------------------------------------------------------------------------------------------------------------------

Still when i logged in hbase shell as user manwarul and I try to scan 'Employee' table. it is giving ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions.

 

Please help me to resolve this issue.

 

Thanks

 

Manwarul

Re: Hi,Cell level security in HBase 0.98

Contributor

This is expected, right?

 

You havec activated the security, but have you given the rights to your user to scan this table?

 

If you activate security, by default, no-one as any right. So you might want to grant the rights to the correct users using an Admin user?

 

JMS

Re: Hi,Cell level security in HBase 0.98

New Contributor

Hi JMS,

 

I have done all settings as I described in above thread and also I have given permission by following command in shell

 

grant 'Employee', { 'manwarul' => 'R' }, { COLUMNS => 'pd', FILTER => "(PrefixFilter ('T'))" }.

 

But when I logged in as user manwarul in shell it is giving AccessDenied error.

 

Thanks

 

Manwarul

Re: Hi,Cell level security in HBase 0.98

Contributor

Ok. Then give me a bit of time. I will install the same version as you and do the same steps to see if I can reproduce and then figure what it is.

 

I'm already testing something else right now, so might take a day or 2 to come back to you...

 

From this thread I see htat you are using CDH 5.3.0. That's the version I will try. Please let me kow if it's not the correct one.

 

JM

Re: Hi,Cell level security in HBase 0.98

New Contributor

Hi JMS,

 

Yes, you are correct. I am using CDH 5.3.0.

 

Thanks

 

Manwarul

Don't have an account?
Coming from Hortonworks? Activate your account here