ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roberta Marton <>
Subject RE: Trying to create hbase tables after enabling Kerberos with Ambari
Date Tue, 22 Mar 2016 01:36:42 GMT
Thanks, I was able to create a table using a different - I ended up redoing
the installation and adding the specific rule suggested by Henning.

I know it is just for a specific user so I will play with it some more to
see if I can relax the rule some.


*From:* Henning Kropp []
*Sent:* Monday, March 21, 2016 2:50 PM
*Subject:* Re: Trying to create hbase tables after enabling Kerberos with


what Robert suggested sounds to me exactly what you would need. It would
help if you could provide your auth_to_local setting and the output of
hbase> whoami

Another way to test your auth_to_locals setting would be to execute:
    % hadoop

Please be aware that the rules are applied in order, so it is important to
have the rule from Robert before the default rule.

A more simple rule could also be:

The above rule will only work for this principal/user. Put it as the first
line of your auth to local and use HadoopKerberosName to test if it is


Am 21/03/16 um 21:40 schrieb Roberta Marton:

Thanks for your suggestion.  My property settings did have the second rule
defined but not the first.

However, it did not seem to help.

I tried setting the rule several other ways but nothing seems to work.  I
still get the same behavior.


*From:* Robert Levas []
*Sent:* Monday, March 21, 2016 11:21 AM
*Subject:* Re: Trying to create hbase tables after enabling Kerberos with

Hi Roberta…

It seems like you need an auth-to-local run set up to translate
trafodion-robertaCluster@TRAFKDC.COM to trafodion.

To can do this by editing the property under
HDFS->Configs->Advanced->Advanced core-site.

Adding the following rule should do the trick:


You will need to add this rule to the ruleset before/above less general
rules like


After adding this rule, save the config and restart the recommended

I hope this helps,


*From: *Roberta Marton <>
*Reply-To: *"" <>
*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"" <>
*Subject: *Trying to create hbase tables after enabling Kerberos with Ambari

I am trying to install Kerberos on top of my Hortonworks installation.  I
have tried this with both versions 2.2 and 2.3 and get similar results.

After I enable Kerberos, I create a Linux user called trafodion and grant
this user all HBase permissions.

I connect as trafodion but get permission errors when I try to create a


[trafodion@myhost ~]$ whoami


[trafodion@myhost ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_503 <FILE:///\\tmp\krb5cc_503>

Default principal: trafodion-robertaCluster@TRAFKDC.COM

Valid starting     Expires            Service principal

03/21/16 16:39:33  03/22/16 16:39:33  krbtgt/TRAFKDC.COM@TRAFKDC.COM

        renew until 03/21/16 16:39:33

hbase shell

hbase(main):002:0> whoami


2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster

hbase(main):003:0> user_permission

User                            Table,Family,Qualifier:Permission

trafodion                      hbase:acl,,: [Permission:

ambari-qa                      hbase:acl,,: [Permission:

2 row(s) in 1.7630 seconds

hbase(main):004:0> create 't1', 'f1', 'f2'

ERROR: Insufficient
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)

I am able to perform ‘user_permission’ but not ‘create’

Any suggestion on how to proceed?


View raw message