Support Questions

Find answers, ask questions, and share your expertise

Unable to disable/drop an HBase table after enabling Kerberos

avatar
Explorer

I recently enabled Kerberos on a test cluster, and it looks like HBase thinks I am a different user than I was before Kerberos was enabled. 

Before enabling Kerberos, I created a lot of tables in HBase using a user called "ace".

After enabling Kerberos, I am not able to disable/drop those tables. 

HBase complains user "ace/jumphost@LOCALDOMAIN" has insufficient permissions:

 

disable 'dailybenchmarkResults'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=ace/jumphost@LOCALDOMAIN, scope=dailybenchmarkResults, family=, action=CREATE)
 

What is interesting is when I try to recreate the table, I do not get a "table already exists" or similar error as expected.  I get:

 

create  'dailybenchmarkResults',{NAME =>   'benchmarkResults', COMPRESSION =>   'SNAPPY'}

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'ace' (global, action=CREATE)

 

In this case, it seems HBase thinks I am the user 'ace'.

 

 

This is my first dive into Kerberos, so I'm probably missing something simple. 

I have been unable to find any web pages that sound similar to the issue I am experiencing. 

I have Kerberos configured correctly to access the HDFS file system with the hdfs command set. 

I have read files from and written files to HDFS.

 

I am using Cloudera Manager 5.3.0 on CentOS 6.5 with a total of 6 nodes - 3 DN, 2 NN, and my "jumphost" which is the HBase master and where the Clouders services reside, as well as where I issued my "disable" commands from.

 

My Kerberos version is from CentOS "krb5-server-1.10.3-10".  I believe this is MIT Kerberos.

 

Please do not tell me to "Upgrade my version of Cloudera Manager" without first pointing me to a bug report/change log that shows what I am experiencing was a bug and has been fixed.

 

In summary:

I have an existing cluster under which I created several tables.

After enabling Kerberos, I am unable to disable/drop the table, even though my login user name has not changed.

 

Thanks.

 

- Shawn S

 

1 ACCEPTED SOLUTION

avatar
Mentor
There's two factors to consider here: Authentication and Authorisation. You've enabled both for HBase. You can disable the latter if you do not need it.

If you do need authorisation, then you need to configure it as out of the box there's no rules except 'administrative' rights for the 'hbase' login user. To read more on configuring your authorisation rules via the grant/revoke commands, read http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_sg_hbase_authorizat...

View solution in original post

3 REPLIES 3

avatar
Mentor
There's two factors to consider here: Authentication and Authorisation. You've enabled both for HBase. You can disable the latter if you do not need it.

If you do need authorisation, then you need to configure it as out of the box there's no rules except 'administrative' rights for the 'hbase' login user. To read more on configuring your authorisation rules via the grant/revoke commands, read http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_sg_hbase_authorizat...

avatar
Explorer
Thank you for the quick response. I disabled authorization as per the link you sent me to. After the config update I was able to disable/drop/recreate the table as I had before Kerberos.

- Shawn S

avatar
Mentor
Glad to hear - thanks for closing the loop!