Support Questions
Find answers, ask questions, and share your expertise

User impersonation fails in secured HBase

Re: User impersonation fails in secured HBase

Explorer

Hi @andrew_ryan1 we got impersonation working using Thrift for users (based on either their user id or groups) when we added property below to HBase site xml:

 

<property>
  <name>hbase.security.exec.permission.checks</name>
  <value>true</value>
</property>

 

This should work for the REST route as well as it is not specific to REST or Thrift. Needless to say, the real user or their groups need to be given the appropriate privileges (ACLs / visibility tag authorizations).

 

Additionally, these properties added to core-site.xml would enable group lookup for a real user, so groups needed for authorizing a real user can be enumerated (we are yet to test this):

 

<property>

  <name>hadoop.security.group.mapping</name>

  <value>org.apache.hadoop.security.LdapGroupsMapping</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.url</name>

  <value>ldap://server</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.bind.user</name>

  <value>Administrator@example-ad.local</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.bind.password</name>

  <value>****</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.base</name>

  <value>dc=example-ad,dc=local</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.search.filter.user</name>

  <value>(&amp;(objectClass=user)(sAMAccountName={0}))</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.search.filter.group</name>

  <value>(objectClass=group)</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.search.attr.member</name>

  <value>member</value>

</property>

 

<property>

  <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>

  <value>cn</value>

</property>

 

 

Re: User impersonation fails in secured HBase

Contributor

Hi @hbased;

It is a bug. There is a jira for the issue and apparently it was resolved in version 3.0.0. This is the apache hbase site - not necessarily your distro version. Cloudera say the issue is resolved in 3.1.4. We have raised a support ticket with Cloudera and they are patching our current distro version of hbase and providing us with a new binary.

 

Here's the jira ref.

https://issues.apache.org/jira/browse/HBASE-21960

 

All the best