Support Questions

aliyesami · ‎12-16-2016

since I have installed Ranger I cant create a table in HBASE using the following command, see the error below also.

even though HBASE ranger plugin is not enabled . I have the Kerberos ticket

16/12/16 10:29:56 INFO mapreduce.HBaseImportJob: Creating missing HBase table AUDIT_TOUR
16/12/16 10:29:56 ERROR tool.ImportTool: Encountered IOException running import job: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=sami@abc.com, scope=default, params=[namespace=default,table=default:AUDIT_TOUR,family=TOUR],action=CREATE)
        at org.apache.hadoop.hbase.security.access.AccessController.requireNamespacePermission(AccessController.java:624)
        at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:993)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost$11.call(MasterCoprocessorHost.java:222)

command issued

sqoop import --connect "jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=patronQA)(port=1526))(connect_data=(service_name=patron)))" --username PATRON --password XXXX --table PATRON.AUDIT_TOUR_SMALL --hbase-table AUDIT_TOUR --column-family TOUR --hbase-row-key "TOUR_ID" --hbase-create-table --columns "PLAZA_ID,REV_DAY_ID,LANE_ID,HOST_EMP_ID" -m 1

ssoldatov · ‎12-16-2016

Since you have enabled kerberos, you need to grant permissions in HBase. Use hbase shell with grant command for that.

View solution in original post

kiven517 · ‎09-21-2017

I looked at the other blog and compared it and found the difference.

After the new operation, it can be operated

HBase SQL statement fails with Insufficient permissions for user

[root@m1 ~]# klist -ket /etc/security/keytabs/hbase.service.keytab 
Keytab name: FILE:/etc/security/keytabs/hbase.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des-cbc-md5) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des3-cbc-sha1) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (arcfour-hmac) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes256-cts-hmac-sha1-96) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes128-cts-hmac-sha1-96) 
[root@m1 ~]# kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN
[root@m1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/m1.node.hadoop@TENDATA.CN
Valid starting       Expires              Service principal
09/20/2017 16:23:53  09/21/2017 16:23:53  krbtgt/TENDATA.CN@TENDATA.CN
[root@m1 ~]# 
[root@m1 ~]# hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016
hbase(main):001:0> 
hbase(main):002:0* 
hbase(main):003:0* create 't1', 'f1'
0 row(s) in 2.5960 seconds
=> Hbase::Table - t1
hbase(main):004:0> list
TABLE                                                                                                    
t1                                                                                                            
1 row(s) in 0.0200 seconds
=> ["t1"]
hbase(main):005:0>

The key is to get the KGT without domain and result in failure

kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN

kiven517 · ‎09-21-2017

I looked at the other blog and compared it and found the difference.

After the new operation, it can be operated

HBase SQL statement fails with Insufficient permissions for user

[root@m1 ~]# klist -ket /etc/security/keytabs/hbase.service.keytab 
Keytab name: FILE:/etc/security/keytabs/hbase.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des-cbc-md5) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (des3-cbc-sha1) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (arcfour-hmac) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes256-cts-hmac-sha1-96) 
   1 11/16/2016 13:50:24 hbase/m1.node.hadoop@TENDATA.CN (aes128-cts-hmac-sha1-96) 
[root@m1 ~]# kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN
[root@m1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/m1.node.hadoop@TENDATA.CN




Valid starting       Expires              Service principal
09/20/2017 16:23:53  09/21/2017 16:23:53  krbtgt/TENDATA.CN@TENDATA.CN
[root@m1 ~]# 




[root@m1 ~]# hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016




hbase(main):001:0> 
hbase(main):002:0* 
hbase(main):003:0* create 't1', 'f1'
0 row(s) in 2.5960 seconds




=> Hbase::Table - t1
hbase(main):004:0> list
TABLE                                                                                                    
t1                                                                                                            
1 row(s) in 0.0200 seconds




=> ["t1"]
hbase(main):005:0>

The key is to get the KGT without domain and result in failure

kinit -kt /etc/security/keytabs/hbase.service.keytab hbase/m1.node.hadoop@TENDATA.CN

Cloudera Community

Support Questions

cant create HBASE table