Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger policy for Hive table backed on HBase

avatar
Guru

Hi,

I have a Hive table which sits on top of HBase and create two policies for the same user in Ranger. One for Hive and one for HBase, to allow access to the corresponding table.

In Ranger I can see the agents has successfully registered and they received the latest changes.

If I now do a select * from hivetableonhbase; vie Hue I receive the error:

java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv
	at com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor.preScannerOpen(XaSecureAuthorizationCoprocessor.java:719)
	at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1870)
	at org.apache.hadoop.hbase.regionserver.HRegionServer.scan(HRegionServer.java:3167)
	at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29994)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2078)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108)
	at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:114)
	at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:94) 

at java.lang.Thread.run(Thread.java:745)

And in addition I do not see any attempt to access HBase in Ranger Audit log.

Is there something special in Accessing HBase via Hive with respect to grant permissions to users ?!?!

1 ACCEPTED SOLUTION

avatar
Guru

Hi @Artem Ervits , @Neeraj Sabharwal ,

at the end, using Ranger policies for Hive-on-top-of-HBase works as supposed to do so, by defining Hive-Policy and HBase-Policy for the involved tables.

The issue I had was the following, although I really don't understand why it is like it is:

switching back to Ranger-HTTP from HTTPS left the policy_mgr_url starting with HTTPS://<ranger-admin>:<port>; on the HBase-REGIONSERVERS, thereby the REGIONSERVERS were complaining that they cannot grab latest Ranger policies due to SSL error. This was the reason why my HBase policies were never applied, because they never got fetched by the REGIONSERVERS.

Now the point that is confusing me:

why the REGIONSERVERS ???? On the HBase-Master nodes there was no error, they had received the latest HBase-policies and therefore in the Ranger-Audit the agents heartbeat has been updated (and therefore I thought everything's fine).

Isn't it the similar behaviour of Ranger-plugin like in HDFS, that the plugin just hooks into the "master"-process Namenode , what is the role of Ranger-in-Regionserver here ?

View solution in original post

14 REPLIES 14

avatar
Master Mentor
@Gerd Koenig

This is great question and personally, I have never worked on this use case.

Did you grant access to hive and hbase tables to user pklfsvc in Hive and HBase policies?

avatar
Guru

Hello @Neeraj Sabharwal , yes, user 'pklfsvc' has rwx permissions in Hive- and HBase-Ranger policy

avatar
Master Mentor

@Gerd Koenig Are you able to access using beeline?

avatar
Guru

@Neeraj Sabharwal , connect yes, but also permission error:

0: jdbc:hive2://b0d02ef2:10> show tables;
+----------------------+--+
|       tab_name       |
+----------------------+--+
| hbaseidvtmp  |
| hbaseidv    |

2 rows selected (0.293 seconds)
0: jdbc:hive2://b0d02ef2:10> select * from hbaseidv;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [pklfsvc] does not have [SELECT] privilege on [<dbname>/hbaseidv/birthdate] (state=42000,code=40000)
0: jdbc:hive2://b0d02ef2:10>

avatar
Master Mentor

@Gerd Koenig Perfect!!!! 🙂

So...Hue is casuing the trouble?

avatar
Guru

@Neeraj Sabharwal , nope, Hue is not causing the troubles since via Beeline I receive the same permission denied error ...

avatar
Master Mentor

@Gerd Koenig birthdate is the only column in picture?

avatar
Master Mentor

@Gerd Koenig

awesome question, according to this jira, can you double check the znode information for the table? jira this might be a bug with Ranger.

scan 'hbase:acl'

avatar
Guru

Hi @Artem Ervits , please find below the output of your command. Seems like there are no settings for table 'hbaseidv' ...

ROW                                    COLUMN+CELL
 ambarismoketest                       column=l:ambari-qa, timestamp=1453802112798, value=RWXCA
 hbase:acl                             column=l:ambari-qa, timestamp=1453802098747, value=RWXCA
2 row(s) in 0.5710 seconds

Do I have to set something directly in HBase ?

My assumption was that Ranger-HBase-policy will abstract this, like for HDFS (HDFS-ACL set to 000 and grant access via Ranger ) ?!?!