Support Questions

aliyesami · ‎12-16-2016

since I have installed Ranger I cant create a table in HBASE using the following command, see the error below also.

even though HBASE ranger plugin is not enabled . I have the Kerberos ticket

16/12/16 10:29:56 INFO mapreduce.HBaseImportJob: Creating missing HBase table AUDIT_TOUR
16/12/16 10:29:56 ERROR tool.ImportTool: Encountered IOException running import job: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=sami@abc.com, scope=default, params=[namespace=default,table=default:AUDIT_TOUR,family=TOUR],action=CREATE)
        at org.apache.hadoop.hbase.security.access.AccessController.requireNamespacePermission(AccessController.java:624)
        at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:993)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost$11.call(MasterCoprocessorHost.java:222)

command issued

sqoop import --connect "jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=patronQA)(port=1526))(connect_data=(service_name=patron)))" --username PATRON --password XXXX --table PATRON.AUDIT_TOUR_SMALL --hbase-table AUDIT_TOUR --column-family TOUR --hbase-row-key "TOUR_ID" --hbase-create-table --columns "PLAZA_ID,REV_DAY_ID,LANE_ID,HOST_EMP_ID" -m 1

ssoldatov · ‎12-16-2016

Since you have enabled kerberos, you need to grant permissions in HBase. Use hbase shell with grant command for that.

View solution in original post

mqureshi · ‎12-16-2016

@Sami Ahmad

user "sami@abc.com" does not have permissions to create table in HBase. you need to set these permissions for this user in Ranger.

aliyesami · ‎12-16-2016

but ranger plugin for HBASE is not enabled , why Ranger permissions to be set then ?

and the HBASE security tab in Ranger is disabled for this reason . its not letting me set any privileges .

aliyesami · ‎12-16-2016

I tried to add privileges from HBASE its not letting me .

hbase(main):003:0> [hdfs@hadoop1 ~]$ kinit hive
Password for hive@abc.com:
[hdfs@hadoop1 ~]$
[hdfs@hadoop1 ~]$
[hdfs@hadoop1 ~]$ hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.0.0-1245, r53538b8ab6749cbb6fdc0fe448b89aa82495fb3f, Fri Aug 26 01:32:27 UTC 2016
hbase(main):001:0> whoami
hive@abc.com (auth:KERBEROS)
    groups: hadoop
hbase(main):002:0> grant 'sami', 'RWXCA'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=hive@abc.com, scope=GLOBAL, action=ADMIN)
        at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:438)
        at org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:2216)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933)
        at org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097)
        at org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:7716)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execServiceOnRegion(RSRpcServices.java:1895)
        at org.apache.hadoop.hbase.regionserver.RSRpcServices.execService(RSRpcServices.java:1877)
        at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:32299)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2127)
        at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:107)
        at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:133)
        at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:108)
        at java.lang.Thread.run(Thread.java:745)
Here is some help for this command:
Grant users specific rights.
Syntax : grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
Note: Groups and users are granted access in the same way, but groups are prefixed with an '@'
      character. In the same way, tables and namespaces are specified, but namespaces are
      prefixed with an '@' character.
For example:

ssoldatov · ‎12-16-2016

Since you have enabled kerberos, you need to grant permissions in HBase. Use hbase shell with grant command for that.

aliyesami · ‎12-16-2016

can you please give me an example on how ?

also whats the role of HBASE ranger plugin if without it being enabled we still need to grant privileges?

ssoldatov · ‎12-16-2016

you need to use the same command

grant 'sami', 'RWXCA'

but you need to run hbase shell with hbase kerberos ticket. Ranger is centralized platform to manage security on your cluster at one place.

dvillarreal · ‎12-16-2016

If you are not using ranger hbase policies to grant permission then you will have to use hbase shell to grant the permission. Forexample,

R - represents read privilege.
W - represents write privilege.
X - represents execute privilege.
C - represents create privilege.
A - represents admin privilege.

 hbase(main):018:0> grant 'sami','RWXCA','default'

aliyesami · ‎12-16-2016

this did the trick ..

[root@hadoop1 ~]# klist -kte /etc/security/keytabs/hbase.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 11/30/16 14:40:25 hbase-fdot_hadoop@TOLLS.DOT.STATE.FL.US (arcfour-hmac)
   1 11/30/16 14:40:25 hbase-fdot_hadoop@TOLLS.DOT.STATE.FL.US (des3-cbc-sha1)
   1 11/30/16 14:40:25 hbase-fdot_hadoop@TOLLS.DOT.STATE.FL.US (aes256-cts-hmac-sha1-96)
   1 11/30/16 14:40:25 hbase-fdot_hadoop@TOLLS.DOT.STATE.FL.US (des-cbc-md5)
   1 11/30/16 14:40:25 hbase-fdot_hadoop@TOLLS.DOT.STATE.FL.US (aes128-cts-hmac-sha1-96)
kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-fdot_hadoop

hbase(main):002:0> grant 'sami', 'RWXCA'
0 row(s) in 0.4040 seconds
hbase(main):003:0> exit
[root@hadoop1 ~]#

kiven517 · ‎09-15-2017

[root@m1 ~]# klist -kte /etc/security/keytabs/hbase.headless.keytab         
Keytab name: FILE:/etc/security/keytabs/hbase.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/16/2016 13:50:23 hbase-tdh@TENDATA.CN (des-cbc-md5) 
   1 11/16/2016 13:50:23 hbase-tdh@TENDATA.CN (des3-cbc-sha1) 
   1 11/16/2016 13:50:23 hbase-tdh@TENDATA.CN (arcfour-hmac) 
   1 11/16/2016 13:50:23 hbase-tdh@TENDATA.CN (aes256-cts-hmac-sha1-96) 
   1 11/16/2016 13:50:23 hbase-tdh@TENDATA.CN (aes128-cts-hmac-sha1-96) 
[root@m1 ~]# 
[root@m1 ~]# kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-tdh
kinit: Password incorrect while getting initial credentials

I did as you did, but there were mistakes.

What am I supposed to do

kiven517 · ‎09-21-2017

I looked at the other blog and compared it and found the difference.

After the new operation, it can be operated

HBase SQL statement fails with Insufficient permissions for user

[root@m1 ~]# klist -ket /etc/security/keytabs/hbase.service.keytab 
Keytab name: FILE:/etc/security/keytabs/hbase.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des-cbc-md5) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des3-cbc-sha1) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (arcfour-hmac) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes256-cts-hmac-sha1-96) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes128-cts-hmac-sha1-96) 
[root@m1 ~]# kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN
[root@m1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/m1.node.hadoop@TENDATA.CN
Valid starting       Expires              Service principal
09/20/2017 16:23:53  09/21/2017 16:23:53  krbtgt/TENDATA.CN@TENDATA.CN
[root@m1 ~]# 
[root@m1 ~]# hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016
hbase(main):001:0> 
hbase(main):002:0* 
hbase(main):003:0* create 't1', 'f1'
0 row(s) in 2.5960 seconds
=> Hbase::Table - t1
hbase(main):004:0> list
TABLE                                                                                                    
t1                                                                                                            
1 row(s) in 0.0200 seconds
=> ["t1"]
hbase(main):005:0>

The key is to get the KGT without domain and result in failure

kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN

kiven517 · ‎09-21-2017

I looked at the other blog and compared it and found the difference.

After the new operation, it can be operated

HBase SQL statement fails with Insufficient permissions for user

[root@m1 ~]# klist -ket /etc/security/keytabs/hbase.service.keytab 
Keytab name: FILE:/etc/security/keytabs/hbase.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des-cbc-md5) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des3-cbc-sha1) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (arcfour-hmac) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes256-cts-hmac-sha1-96) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes128-cts-hmac-sha1-96) 
[root@m1 ~]# kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN
[root@m1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/m1.node.hadoop@TENDATA.CN




Valid starting       Expires              Service principal
09/20/2017 16:23:53  09/21/2017 16:23:53  krbtgt/TENDATA.CN@TENDATA.CN
[root@m1 ~]# 




[root@m1 ~]# hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016




hbase(main):001:0> 
hbase(main):002:0* 
hbase(main):003:0* create 't1', 'f1'
0 row(s) in 2.5960 seconds




=> Hbase::Table - t1
hbase(main):004:0> list
TABLE                                                                                                    
t1                                                                                                            
1 row(s) in 0.0200 seconds




=> ["t1"]
hbase(main):005:0>

The key is to get the KGT without domain and result in failure

kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN

Support Questions

cant create HBASE table