Member since
08-08-2013
339
Posts
132
Kudos Received
27
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
13263 | 01-18-2018 08:38 AM | |
1120 | 05-11-2017 06:50 PM | |
8021 | 04-28-2017 11:00 AM | |
2893 | 04-12-2017 01:36 AM | |
2381 | 02-14-2017 05:11 AM |
02-08-2016
05:38 PM
@Artem Ervits , sure, will do so as soon as I have prepared the stuff...
... View more
02-08-2016
04:59 PM
@Artem Ervits , thanks for this great link. If I connect as user 'hbase' I can execute a "scan 'hbaseidv' " successfully, but if I open a hbase shell as user pklfsvc I receive the error shown below. Do I have to grant rwx to that user on HBase level before putting Ranger policies on top ? hbase(main):002:0> scan 'hbaseidv'
ROW COLUMN+CELL
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv
... View more
02-08-2016
04:50 PM
@Neeraj Sabharwal , nope, Hue is not causing the troubles since via Beeline I receive the same permission denied error ...
... View more
02-08-2016
04:33 PM
Hi @Artem Ervits , please find below the output of your command. Seems like there are no settings for table 'hbaseidv' ... ROW COLUMN+CELL
ambarismoketest column=l:ambari-qa, timestamp=1453802112798, value=RWXCA
hbase:acl column=l:ambari-qa, timestamp=1453802098747, value=RWXCA
2 row(s) in 0.5710 seconds Do I have to set something directly in HBase ? My assumption was that Ranger-HBase-policy will abstract this, like for HDFS (HDFS-ACL set to 000 and grant access via Ranger ) ?!?!
... View more
02-08-2016
04:27 PM
1 Kudo
@Neeraj Sabharwal , connect yes, but also permission error: 0: jdbc:hive2://b0d02ef2:10> show tables;
+----------------------+--+
| tab_name |
+----------------------+--+
| hbaseidvtmp |
| hbaseidv |
2 rows selected (0.293 seconds)
0: jdbc:hive2://b0d02ef2:10> select * from hbaseidv;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [pklfsvc] does not have [SELECT] privilege on [<dbname>/hbaseidv/birthdate] (state=42000,code=40000)
0: jdbc:hive2://b0d02ef2:10>
... View more
02-08-2016
03:44 PM
Hello @Neeraj Sabharwal , yes, user 'pklfsvc' has rwx permissions in Hive- and HBase-Ranger policy
... View more
02-08-2016
03:38 PM
2 Kudos
Hi, I have a Hive table which sits on top of HBase and create two policies for the same user in Ranger. One for Hive and one for HBase, to allow access to the corresponding table. In Ranger I can see the agents has successfully registered and they received the latest changes. If I now do a select * from hivetableonhbase; vie Hue I receive the error: java.io.IOException: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'pklfsvc' for scanner open on table hbaseidv
at com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor.preScannerOpen(XaSecureAuthorizationCoprocessor.java:719)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1870)
at org.apache.hadoop.hbase.regionserver.HRegionServer.scan(HRegionServer.java:3167)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:29994)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2078)
at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108)
at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:114)
at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:94) at java.lang.Thread.run(Thread.java:745) And in addition I do not see any attempt to access HBase in Ranger Audit log. Is there something special in Accessing HBase via Hive with respect to grant permissions to users ?!?!
... View more
Labels:
- Labels:
-
Apache HBase
-
Apache Hive
-
Apache Ranger
02-06-2016
11:28 AM
Hi @Neeraj Sabharwal , @Predrag Minovic thanks for your support. Yesterday evening I did a stop of ambari-server, ambari-agent and ranger (Ranger and Ambari are on the same node), and restarted them step-by-step as mentioned in my last answer to Neeraj's post. Then I needed to have a break 😉 Looking at the situation today, showed me Ranger is back in Ambari as "known" and also showed the yellow arrows to restart due to config change. This led me to the assumption that something got messed up at config.change of Ranger and now it has been detected after the re-start of the components (and maybe waiting some time re-registering properly in Ambari).
Restarting Ranger via Ambari was successfull and now everything is "green" again Regards, Gerd
... View more
02-05-2016
08:42 PM
1 Kudo
@Neeraj Sabharwal , did a "sudo /etc/init.d/ranger-admin start", and verified that ranger-admin is running. But in Ambari still the same yellow sign....and in ambari logs no error, either ambari-server or -agent. ambari-agent.log: ambari-server.log (not that much entries after starting ranger-admin):
... View more
02-05-2016
08:20 PM
1 Kudo
Hi @Neeraj Sabharwal , unfortunately not, still the same situation. Log excerpt from ambari-agent: It is going to be late, maybe I can't see the forest but the trees ?!?! 😉
... View more