I have a Hive table which sits on top of HBase and create two policies for the same user in Ranger. One for Hive and one for HBase, to allow access to the corresponding table.
In Ranger I can see the agents has successfully registered and they received the latest changes.
If I now do a select * from hivetableonhbase; vie Hue I receive the error:
java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv at com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor.preScannerOpen(XaSecureAuthorizationCoprocessor.java:719) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1870) at org.apache.hadoop.hbase.regionserver.HRegionServer.scan(HRegionServer.java:3167) at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29994) at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2078) at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108) at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:114) at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:94)
And in addition I do not see any attempt to access HBase in Ranger Audit log.
Is there something special in Accessing HBase via Hive with respect to grant permissions to users ?!?!
at the end, using Ranger policies for Hive-on-top-of-HBase works as supposed to do so, by defining Hive-Policy and HBase-Policy for the involved tables.
The issue I had was the following, although I really don't understand why it is like it is:
switching back to Ranger-HTTP from HTTPS left the policy_mgr_url starting with HTTPS://<ranger-admin>:<port>; on the HBase-REGIONSERVERS, thereby the REGIONSERVERS were complaining that they cannot grab latest Ranger policies due to SSL error. This was the reason why my HBase policies were never applied, because they never got fetched by the REGIONSERVERS.
Now the point that is confusing me:
why the REGIONSERVERS ???? On the HBase-Master nodes there was no error, they had received the latest HBase-policies and therefore in the Ranger-Audit the agents heartbeat has been updated (and therefore I thought everything's fine).
Isn't it the similar behaviour of Ranger-plugin like in HDFS, that the plugin just hooks into the "master"-process Namenode , what is the role of Ranger-in-Regionserver here ?
@Neeraj Sabharwal , connect yes, but also permission error:
0: jdbc:hive2://b0d02ef2:10> show tables; +----------------------+--+ | tab_name | +----------------------+--+ | hbaseidvtmp | | hbaseidv | 2 rows selected (0.293 seconds) 0: jdbc:hive2://b0d02ef2:10> select * from hbaseidv; Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [pklfsvc] does not have [SELECT] privilege on [<dbname>/hbaseidv/birthdate] (state=42000,code=40000) 0: jdbc:hive2://b0d02ef2:10>
Hi @Artem Ervits , please find below the output of your command. Seems like there are no settings for table 'hbaseidv' ...
ROW COLUMN+CELL ambarismoketest column=l:ambari-qa, timestamp=1453802112798, value=RWXCA hbase:acl column=l:ambari-qa, timestamp=1453802098747, value=RWXCA 2 row(s) in 0.5710 seconds
Do I have to set something directly in HBase ?
My assumption was that Ranger-HBase-policy will abstract this, like for HDFS (HDFS-ACL set to 000 and grant access via Ranger ) ?!?!