ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roberta Marton <roberta.mar...@esgyn.com>
Subject RE: Trying to create hbase tables after enabling Kerberos with Ambari
Date Tue, 22 Mar 2016 01:36:42 GMT
Thanks, I was able to create a table using a different - I ended up redoing
the installation and adding the specific rule suggested by Henning.

I know it is just for a specific user so I will play with it some more to
see if I can relax the rule some.



     Roberta



*From:* Henning Kropp [mailto:hkropp@microlution.de]
*Sent:* Monday, March 21, 2016 2:50 PM
*To:* user@ambari.apache.org
*Subject:* Re: Trying to create hbase tables after enabling Kerberos with
Ambari



Hi,

what Robert suggested sounds to me exactly what you would need. It would
help if you could provide your auth_to_local setting and the output of
hbase> whoami

Another way to test your auth_to_locals setting would be to execute:
    % hadoop org.apache.hadoop.security.HadoopKerberosName
trafodion-robertaCluster@TRAFKDC.COM

Please be aware that the rules are applied in order, so it is important to
have the rule from Robert before the default rule.

A more simple rule could also be:
    RULE:[1:$1@$0](trafidion-robertaCluster@TRAFKDC.COM)s/.*/trafodion/

The above rule will only work for this principal/user. Put it as the first
line of your auth to local and use HadoopKerberosName to test if it is
working.

Regards,
Henning

Am 21/03/16 um 21:40 schrieb Roberta Marton:

Thanks for your suggestion.  My property settings did have the second rule
defined but not the first.

However, it did not seem to help.

I tried setting the rule several other ways but nothing seems to work.  I
still get the same behavior.



   Roberta



*From:* Robert Levas [mailto:rlevas@hortonworks.com]
*Sent:* Monday, March 21, 2016 11:21 AM
*To:* user@ambari.apache.org
*Subject:* Re: Trying to create hbase tables after enabling Kerberos with
Ambari



Hi Roberta…



It seems like you need an auth-to-local run set up to translate
trafodion-robertaCluster@TRAFKDC.COM to trafodion.



To can do this by editing the hadoop.security.auth_to_local property under
HDFS->Configs->Advanced->Advanced core-site.



Adding the following rule should do the trick:



RULE:[1:$1@$0](.*-robertaCluster@TRAFKDC.COM)s/-robertaCluster@.*//



You will need to add this rule to the ruleset before/above less general
rules like



RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//



After adding this rule, save the config and restart the recommended
services.



I hope this helps,



Rob







*From: *Roberta Marton <roberta.marton@esgyn.com>
*Reply-To: *"user@ambari.apache.org" <user@ambari.apache.org>
*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"user@ambari.apache.org" <user@ambari.apache.org>
*Subject: *Trying to create hbase tables after enabling Kerberos with Ambari



I am trying to install Kerberos on top of my Hortonworks installation.  I
have tried this with both versions 2.2 and 2.3 and get similar results.

After I enable Kerberos, I create a Linux user called trafodion and grant
this user all HBase permissions.

I connect as trafodion but get permission errors when I try to create a
table.



Details:



[trafodion@myhost ~]$ whoami

trafodion



[trafodion@myhost ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_503 <FILE:///\\tmp\krb5cc_503>

Default principal: trafodion-robertaCluster@TRAFKDC.COM



Valid starting     Expires            Service principal

03/21/16 16:39:33  03/22/16 16:39:33  krbtgt/TRAFKDC.COM@TRAFKDC.COM

        renew until 03/21/16 16:39:33



hbase shell



hbase(main):002:0> whoami

trafodion-robertaCluster@TRAFKDC.COM(auth:KERBEROS)OIw

2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster



hbase(main):003:0> user_permission

User                            Table,Family,Qualifier:Permission

trafodion                      hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

ambari-qa                      hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

2 row(s) in 1.7630 seconds



hbase(main):004:0> create 't1', 'f1', 'f2'



ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)



I am able to perform ‘user_permission’ but not ‘create’



Any suggestion on how to proceed?



    Roberta

Mime
View raw message