hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Nastetsky <anastet...@spryinc.com>
Subject Re: hbase.superuser group members do not have Admin rights
Date Mon, 24 Feb 2014 21:37:22 GMT
Additionally, it seems like the hbase.superuser ACL can only take a single
username, even if you don't include any groups. All usernames beyond the
first will be ignored.


On Mon, Feb 24, 2014 at 4:12 PM, Alex Nastetsky <anastetsky@spryinc.com>wrote:

> My understanding of the hbase.superuser ACL is that members of a user
> group specified here (prefixed with @) will have full rights on HBase.
> However, it seems that the ADMIN right is missing.
>
> Below, I have an example of using HBase as user "anastetsky" who belongs
> to a group specified in hbase.superuser. No explicit permissions have been
> granted to any user. I attempt to grant myself permissions (an ADMIN
> action), which fails. I then create a table "foo" to show that I still have
> "create" rights, because I belong to a superuser group. Members of the
> group can also "write" and "read", but not "admin".
>
> ---
>
> hbase(main):001:0> user_permission
> User
> Table,Family,Qualifier:Permission
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: Found binding in
> [jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
> explanation.
> 0 row(s) in 4.3950 seconds
>
> hbase(main):002:0> grant 'anastetsky','RWC'
>
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions (user=anastetsky@SPRY.COM, scope=GLOBAL,
> family=, action=ADMIN)
>         at
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356)
>         at
> org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272)
>         at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933)
>         at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097)
>         at
> org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102)
>         at
> org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198)
>         at
> org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933)
>         at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175)
>         at
> org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879)
>
> Here is some help for this command:
> Grant users specific rights.
> Syntax : grant <user> <permissions> [<table> [<column family>
[<column
> qualifier>]]
>
> permissions is either zero or more letters from the set "RWXCA".
> READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
>
> For example:
>
>     hbase> grant 'bobsmith', 'RWXCA'
>     hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
>
>
> hbase(main):003:0> create 'foo','bar'
> 0 row(s) in 1.0650 seconds
>
>
> Thanks in advance,
> Alex.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message