Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

kerberized HDP 2.4 - Hbase user not able to access table

avatar
author-rank karan_alang1
Expert Contributor

Created ‎01-31-2017 08:37 PM

screen-shot-2017-01-31-at-123441-pm.png

screen-shot-2017-01-31-at-123417-pm.png

hi All - i've a kerberized HDP 2.4 cluster, and i'm facing issue wherein user - hbase_user1 created is not able to 'see' the table, though access is provided to the user.

Here is what is done ->

1) User - logging in as user 'hbase_user1' to cluster

2) generated a valid kerberos ticket

[hbase_user1@sandbox ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1029 Default principal: hbase_user1@EXAMPLE.COM

Valid starting Expires Service principal 01/31/17 19:11:24 02/01/17 19:11:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 01/31/17 19:11:24

3) launch 'hbase shell' and fire command -> list

4) contents of log file shows that authorization for hbase_user1 is successful ->

----------------------------------------------------------------------------------------------------------------

tail -f /var/log/hbase/SecurityAuth.audit 2017-01-31 20:04:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:09:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35593 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:09:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:14:39,192 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39743 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:39,195 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface 2017-01-31 20:14:50,329 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 35679 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:14:50,330 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase/sandbox.hortonworks.com@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface 2017-01-31 20:16:24,955 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Auth successful for hbase_user1@EXAMPLE.COM (auth:SIMPLE) 2017-01-31 20:16:24,956 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from 10.0.2.15 port: 39773 with version info: version: "1.1.2.2.4.0.0-169" url: "git://c66-slave-38a0b1a6-7/grid/0/jenkins/workspace/HDP-build-centos6/bigtop/build/hbase/rpm/BUILD/hbase-1.1.2.2.4.0.0" revision: "61dfb2b344f424a11f93b3f086eab815c1eb0b6a" user: "jenkins" date: "Wed Feb 10 07:08:51 UTC 2016" src_checksum: "afb8421bf497c0e82b9489877d53b904" 2017-01-31 20:16:24,957 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for hbase_user1@EXAMPLE.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$BlockingInterface

-----------------------------------------------------------------------------------------------

However, the user is not able to see any of the tables. Attaching the screenshot of Ranger policies - Global access to HBase tables is blocked, while access is provided to tabe iemployee to user - hbase_user1.

Also, pls note : service user - hbase is able to access all hbase tables

What needs to be done to fix this access issue for user -> hbase_user1 ?

Any pointers on this would be appreciated.

2,013 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 12:12 AM

Login with HBase user and grant access to hbase_user1 on the table

grant 'user', 'RWXCA', 'TABLE', 'CF', 'CQ'

https://hbase.apache.org/book.html#hbase.accesscontrol.configuration

You can review the following tutorial as well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/

View solution in original post

1,688 Views
0 Kudos
5 REPLIES 5

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 12:12 AM

Login with HBase user and grant access to hbase_user1 on the table

grant 'user', 'RWXCA', 'TABLE', 'CF', 'CQ'

https://hbase.apache.org/book.html#hbase.accesscontrol.configuration

You can review the following tutorial as well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/

1,689 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎02-01-2017 01:50 AM

@Artem Ervits -

thanks, granting access to the user - hbase_user1 actually worked.

However, i'd already given access to the table using Apache Ranger. Shouldn't that have worked ?

What needs to be done to check/ensuure the Ranger integration with Hbase to control access ?

A few more details -

Actually, when i check the Ranger audit logs - the user 'hbase_user1' appears only till December 2nd, 2017 - screenshot

screen-shot-2017-01-31-at-60941-pm.png

This setup was created in Nov, and was working when i checked last year,

Attaching screenshots of the ranger policies. - global access to hbase is removed, and access to table - 'iemployee' is provided to user - hbase_user1.

screen-shot-2017-01-31-at-51919-pm.png

screen-shot-2017-01-31-at-51817-pm.png

1,688 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 01:57 AM

@Karan Alang you need to disable global allow policy and grant permissions per table, please review the section on hbase in our tutorial, it explains it well http://hortonworks.com/hadoop-tutorial/manage-security-policy-hive-hbase-knox-ranger/#hbase-grant-re...

if any of the answers helped, please close the thread by accepting best answer.

1,688 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎02-01-2017 07:21 AM

@Artem Ervits - wrt. your previous comment, i've done exactly that (pls see my comments above & also the screenshots attached in my previous comment)

i.e. 1) Disabled Global access to Hbase table

2) Given access to user - hbase_user1 to scan table 'iemployee'

This is done using Apache Ranger, for some reason the Ranger permissions are not being enforced.

Any ideas ?

When i provided the permissions on command-line, i was able to enforce permissions !

1,688 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-01-2017 02:13 PM

@Karan Alang you still need to provide explicit policy even though ranger for hbase is enabled, once you run explicit grant/revoke, it will be propogated to Ranger. Please see our doc http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html all make sure your hbase service is configured correctly http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch03s02s04s02.html

also double check ranger hbase plugin settings http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/hbase_plugin_kerberos.ht...

1,688 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements