Created 02-08-2016 03:38 PM
Hi,
I have a Hive table which sits on top of HBase and create two policies for the same user in Ranger. One for Hive and one for HBase, to allow access to the corresponding table.
In Ranger I can see the agents has successfully registered and they received the latest changes.
If I now do a select * from hivetableonhbase; vie Hue I receive the error:
java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv at com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor.preScannerOpen(XaSecureAuthorizationCoprocessor.java:719) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1870) at org.apache.hadoop.hbase.regionserver.HRegionServer.scan(HRegionServer.java:3167) at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29994) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2078) at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108) at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:114) at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:94)
at java.lang.Thread.run(Thread.java:745)
And in addition I do not see any attempt to access HBase in Ranger Audit log.
Is there something special in Accessing HBase via Hive with respect to grant permissions to users ?!?!
Created 02-10-2016 01:23 PM
Hi @Artem Ervits , @Neeraj Sabharwal ,
at the end, using Ranger policies for Hive-on-top-of-HBase works as supposed to do so, by defining Hive-Policy and HBase-Policy for the involved tables.
The issue I had was the following, although I really don't understand why it is like it is:
switching back to Ranger-HTTP from HTTPS left the policy_mgr_url starting with HTTPS://<ranger-admin>:<port>; on the HBase-REGIONSERVERS, thereby the REGIONSERVERS were complaining that they cannot grab latest Ranger policies due to SSL error. This was the reason why my HBase policies were never applied, because they never got fetched by the REGIONSERVERS.
Now the point that is confusing me:
why the REGIONSERVERS ???? On the HBase-Master nodes there was no error, they had received the latest HBase-policies and therefore in the Ranger-Audit the agents heartbeat has been updated (and therefore I thought everything's fine).
Isn't it the similar behaviour of Ranger-plugin like in HDFS, that the plugin just hooks into the "master"-process Namenode , what is the role of Ranger-in-Regionserver here ?
Created 02-08-2016 04:42 PM
@Gerd Koenig are you following similar steps as this guide? You should be able to see the table from both places https://community.hortonworks.com/content/kbentry/14806/working-with-hbase-and-hive-wip.html
Created 02-08-2016 04:59 PM
@Artem Ervits , thanks for this great link.
If I connect as user 'hbase' I can execute a "scan 'hbaseidv' " successfully, but if I open a hbase shell as user pklfsvc I receive the error shown below.
Do I have to grant rwx to that user on HBase level before putting Ranger policies on top ?
hbase(main):002:0> scan 'hbaseidv' ROW COLUMN+CELL ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv
Created 02-08-2016 05:02 PM
@Gerd Koenig the only advice I have for you as this is a unique use case is to try and then post an article :).
Created 02-08-2016 05:38 PM
@Artem Ervits , sure, will do so as soon as I have prepared the stuff...
Created 02-10-2016 01:23 PM
Hi @Artem Ervits , @Neeraj Sabharwal ,
at the end, using Ranger policies for Hive-on-top-of-HBase works as supposed to do so, by defining Hive-Policy and HBase-Policy for the involved tables.
The issue I had was the following, although I really don't understand why it is like it is:
switching back to Ranger-HTTP from HTTPS left the policy_mgr_url starting with HTTPS://<ranger-admin>:<port>; on the HBase-REGIONSERVERS, thereby the REGIONSERVERS were complaining that they cannot grab latest Ranger policies due to SSL error. This was the reason why my HBase policies were never applied, because they never got fetched by the REGIONSERVERS.
Now the point that is confusing me:
why the REGIONSERVERS ???? On the HBase-Master nodes there was no error, they had received the latest HBase-policies and therefore in the Ranger-Audit the agents heartbeat has been updated (and therefore I thought everything's fine).
Isn't it the similar behaviour of Ranger-plugin like in HDFS, that the plugin just hooks into the "master"-process Namenode , what is the role of Ranger-in-Regionserver here ?
 
					
				
				
			
		
