hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7860) HBase authorization is reliant on Kerberos
Date Fri, 15 Feb 2013 21:27:16 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579515#comment-13579515
] 

Gary Helmling commented on HBASE-7860:
--------------------------------------

Do you have SecureRpcEngine configured in your hbase-site.xml?  You need this in your config:
{noformat}
  <property>
    <name>hbase.rpc.engine</name>
    <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
    <description>Implementation of org.apache.hadoop.hbase.ipc.RpcEngine to be
    used for client / server RPC call marshalling.
    </description>
  </property>
{noformat}

With this configured, you should be able to use AccessController, while only relying on simple
auth (not kerberos).
                
> HBase authorization is reliant on Kerberos
> ------------------------------------------
>
>                 Key: HBASE-7860
>                 URL: https://issues.apache.org/jira/browse/HBASE-7860
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.94.4
>            Reporter: Kevin Odell
>
> We are currently unable to use ACLs without having Kerberos setup.  That is a pain for
testing and environments that have other authentication methods that are not Kerberos-centric.
> safety valve:
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> [root@cdh4-oozie-1 ~]# hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'null' (global, action=CREATE)
> 	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
> 	at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
> 	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
> 	at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
> 	at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> [root@cdh4-oozie-1 ~]# su hbase
> bash-4.1$ hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'null' (global, action=CREATE)
> 	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
> 	at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
> 	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
> 	at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
> 	at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> It looks like we are relying on Kerberos to tell us who the user is, but since we are
not using authentication, we are just passing NULL.  We should be able to just rely on the
local fs account.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message