ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Kropp <hkr...@microlution.de>
Subject Re: Trying to create hbase tables after enabling Kerberos with Ambari
Date Mon, 21 Mar 2016 21:49:43 GMT
Hi,

what Robert suggested sounds to me exactly what you would need. It would 
help if you could provide your auth_to_local setting and the output of 
hbase> whoami

Another way to test your auth_to_locals setting would be to execute:
     % hadoop org.apache.hadoop.security.HadoopKerberosName 
trafodion-robertaCluster@TRAFKDC.COM 
<mailto:trafodion-robertaCluster@TRAFKDC.COM>

Please be aware that the rules are applied in order, so it is important 
to have the rule from Robert before the default rule.

A more simple rule could also be:
RULE:[1:$1@$0](trafidion-robertaCluster@TRAFKDC.COM)s/.*/trafodion/

The above rule will only work for this principal/user. Put it as the 
first line of your auth to local and use HadoopKerberosName to test if 
it is working.

Regards,
Henning


Am 21/03/16 um 21:40 schrieb Roberta Marton:
>
> Thanks for your suggestion.  My property settings did have the second 
> rule defined but not the first.
>
> However, it did not seem to help.
>
> I tried setting the rule several other ways but nothing seems to 
> work.  I still get the same behavior.
>
> Roberta
>
> *From:* Robert Levas [mailto:rlevas@hortonworks.com 
> <mailto:rlevas@hortonworks.com>]
> *Sent:* Monday, March 21, 2016 11:21 AM
> *To:* user@ambari.apache.org <mailto:user@ambari.apache.org>
> *Subject:* Re: Trying to create hbase tables after enabling Kerberos 
> with Ambari
>
> Hi Roberta…
>
> It seems like you need an auth-to-local run set up to translate 
> trafodion-robertaCluster@TRAFKDC.COM 
> <mailto:trafodion-robertaCluster@TRAFKDC.COM>to trafodion.
>
> To can do this by editing the hadoop.security.auth_to_local property 
> under HDFS->Configs->Advanced->Advanced core-site.
>
> Adding the following rule should do the trick:
>
>     RULE:[1:$1@$0](.*-robertaCluster@TRAFKDC.COM)s/-robertaCluster@.*// <mailto:.*-robertaCluster@TRAFKDC.COM%29s/-robertaCluster@.*//>
>
> You will need to add this rule to the ruleset before/above less 
> general rules like
>
>     RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//
>     <mailto:.*@TRAFKDC.COM%29s/@.*//>
>
> After adding this rule, save the config and restart the recommended 
> services.
>
> I hope this helps,
>
> Rob
>
> *From: *Roberta Marton <roberta.marton@esgyn.com 
> <mailto:roberta.marton@esgyn.com>>
> *Reply-To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>" 
> <user@ambari.apache.org <mailto:user@ambari.apache.org>>
> *Date: *Monday, March 21, 2016 at 2:08 PM
> *To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>" 
> <user@ambari.apache.org <mailto:user@ambari.apache.org>>
> *Subject: *Trying to create hbase tables after enabling Kerberos with 
> Ambari
>
> I am trying to install Kerberos on top of my Hortonworks 
> installation.  I have tried this with both versions 2.2 and 2.3 and 
> get similar results.
>
> After I enable Kerberos, I create a Linux user called trafodion and 
> grant this user all HBase permissions.
>
> I connect as trafodion but get permission errors when I try to create 
> a table.
>
> Details:
>
> [trafodion@myhost ~]$ whoami
>
> trafodion
>
> [trafodion@myhost ~]$ klist
>
> Ticket cache: FILE:/tmp/krb5cc_503
>
> Default principal: trafodion-robertaCluster@TRAFKDC.COM 
> <mailto:trafodion-robertaCluster@TRAFKDC.COM>
>
> Valid starting     Expires            Service principal
>
> 03/21/16 16:39:33  03/22/16 16:39:33 krbtgt/TRAFKDC.COM@TRAFKDC.COM 
> <mailto:krbtgt/TRAFKDC.COM@TRAFKDC.COM>
>
>         renew until 03/21/16 16:39:33
>
> hbase shell
>
> hbase(main):002:0> whoami
>
> trafodion-robertaCluster@TRAFKDC.COM 
> <mailto:trafodion-robertaCluster@TRAFKDC.COM>(auth:KERBEROS)OIw
>
> 2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No 
> groups available for user trafodion-robertaCluster
>
> hbase(main):003:0> user_permission
>
> User Table,Family,Qualifier:Permission
>
> trafodion hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
>
> ambari-qa hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
>
> 2 row(s) in 1.7630 seconds
>
> hbase(main):004:0> create 't1', 'f1', 'f2'
>
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
> Insufficient permissions for user 'trafodion-robertaCluster' (global, 
> action=CREATE)
>
> I am able to perform ‘user_permission’ but not ‘create’
>
> Any suggestion on how to proceed?
>
>     Roberta
>


Mime
View raw message