hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Odell (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-7860) HBase authorization is reliant on Kerberos
Date Fri, 15 Feb 2013 20:39:13 GMT
Kevin Odell created HBASE-7860:
----------------------------------

             Summary: HBase authorization is reliant on Kerberos
                 Key: HBASE-7860
                 URL: https://issues.apache.org/jira/browse/HBASE-7860
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 0.94.4
            Reporter: Kevin Odell


We are currently unable to use ACLs without having Kerberos setup.  That is a pain for testing
and environments that have other authentication methods that are not Kerberos-centric.

safety valve:
<property>
     <name>hbase.security.authorization</name>
     <value>true</value>
</property>
<property>
     <name>hbase.coprocessor.master.classes</name>
     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
     <name>hbase.coprocessor.region.classes</name>
     <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>

[root@cdh4-oozie-1 ~]# hbase shell
hbase(main):001:0> create 't1', 'cf1'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'null' (global, action=CREATE)
	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
	at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
	at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
	at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)

[root@cdh4-oozie-1 ~]# su hbase
bash-4.1$ hbase shell

hbase(main):001:0> create 't1', 'cf1'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'null' (global, action=CREATE)
	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
	at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
	at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
	at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)

It looks like we are relying on Kerberos to tell us who the user is, but since we are not
using authentication, we are just passing NULL.  We should be able to just rely on the local
fs account.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message