Support Questions

Find answers, ask questions, and share your expertise

Where do I control hbase namespace from ranger?

avatar
Master Guru

This option is available in ranger but I don't see it. I have ranger version .50. Screen shot:

2356-2016-02-23-14-40-02.jpg

As you can see from above nothing for namespace. Am I missing something?

1 ACCEPTED SOLUTION

avatar
Master Guru

@Neeraj Sabharwal @Artem Ervits

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.

View solution in original post

11 REPLIES 11

avatar
Master Mentor

Please see this https://issues.apache.org/jira/plugins/servlet/mobile#issue/RANGER-202

In the table section, specify the namespace with table together

avatar
Master Guru

@Artem Ervits awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

avatar
Master Mentor

@Sunile Manjee I doubt it, by design you need to specify namespace:table

avatar
Master Mentor
@Sunile Manjee

See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks.

It looks like that Ramesh replied back https://community.hortonworks.com/questions/17764/ranger-hbase-namespace.html

Format:

To allow access to table(s) in a specific namespace, specify the table name with prefix as "<namespace>:<table>" - like "myNameSpace:table1", "myNamespace:*"

avatar
Master Mentor

@Sunile Manjee

Demo

my_ns1:my_table - demouser can access it

hbase(main):005:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

0 row(s) in 0.0340 seconds

hbase(main):006:0>

2371-screen-shot-2016-02-24-at-71946-am.png

I removed demouser in policy

hbase(main):006:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘demouser',action: scannerOpen, tableName:my_ns1:my_table, family:fam.

Here is some help for this command:

2372-screen-shot-2016-02-24-at-72100-am.png

avatar
Master Guru

@Neeraj Sabharwal awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

avatar
Master Guru

I'm going to take a try on my sandbox... will post what I find.

avatar
Master Mentor

@Sunile Manjee Did you see the link that I shared and extra information added in my reply?

I mentioned "See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks."

One of the subtasks is https://issues.apache.org/jira/browse/RANGER-228

avatar
Master Guru

@Neeraj Sabharwal @Artem Ervits

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.