Support Questions

sunile_manjee · ‎02-23-2016

This option is available in ranger but I don't see it. I have ranger version .50. Screen shot:

As you can see from above nothing for namespace. Am I missing something?

sunile_manjee · ‎02-24-2016

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.

View solution in original post

aervits · ‎02-23-2016

Please see this https://issues.apache.org/jira/plugins/servlet/mobile#issue/RANGER-202

In the table section, specify the namespace with table together

sunile_manjee · ‎02-24-2016

@Artem Ervits awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

aervits · ‎02-24-2016

@Sunile Manjee I doubt it, by design you need to specify namespace:table

nsabharwal · ‎02-23-2016

@Sunile Manjee

See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks.

It looks like that Ramesh replied back https://community.hortonworks.com/questions/17764/ranger-hbase-namespace.html

Format:

To allow access to table(s) in a specific namespace, specify the table name with prefix as "<namespace>:<table>" - like "myNameSpace:table1", "myNamespace:*"

nsabharwal · ‎02-24-2016

@Sunile Manjee

Demo

my_ns1:my_table - demouser can access it

hbase(main):005:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

0 row(s) in 0.0340 seconds

hbase(main):006:0>

I removed demouser in policy

hbase(main):006:0> scan "my_ns1:my_table"

ROW COLUMN+CELL

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘demouser',action: scannerOpen, tableName:my_ns1:my_table, family:fam.

Here is some help for this command:

sunile_manjee · ‎02-24-2016

@Neeraj Sabharwal awesome feedback as always. I need to know if ranger can do access control at namespace level without specifying table name.

sunile_manjee · ‎02-24-2016

I'm going to take a try on my sandbox... will post what I find.

nsabharwal · ‎02-24-2016

@Sunile Manjee Did you see the link that I shared and extra information added in my reply?

I mentioned "See this https://issues.apache.org/jira/browse/RANGER-202 and it has more information on the issues related to this particular issue

Take a look on the subtasks."

One of the subtasks is https://issues.apache.org/jira/browse/RANGER-228

sunile_manjee · ‎02-24-2016

@Neeraj Sabharwal @Artem Ervits

namespace:* works! but with a twist.

I created a namespace called 'testns'.

On ranger I am able to do testns:* and it gives me security access over all tables within this namespace. It worked with all namespace i created.

HOWEVER!!! - this does not work with default. So I need to create a new thread on HCC asking community why default namespace (default:*) is not controlable via ranger.

Cloudera Community

Support Questions

Where do I control hbase namespace from ranger?