hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Nastetsky <anastet...@spryinc.com>
Subject hbase.superuser group members do not have Admin rights
Date Mon, 24 Feb 2014 21:12:48 GMT
My understanding of the hbase.superuser ACL is that members of a user group
specified here (prefixed with @) will have full rights on HBase. However,
it seems that the ADMIN right is missing.

Below, I have an example of using HBase as user "anastetsky" who belongs to
a group specified in hbase.superuser. No explicit permissions have been
granted to any user. I attempt to grant myself permissions (an ADMIN
action), which fails. I then create a table "foo" to show that I still have
"create" rights, because I belong to a superuser group. Members of the
group can also "write" and "read", but not "admin".

---

hbase(main):001:0> user_permission
User
Table,Family,Qualifier:Permission
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
explanation.
0 row(s) in 4.3950 seconds

hbase(main):002:0> grant 'anastetsky','RWC'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=anastetsky@SPRY.COM, scope=GLOBAL, family=, action=ADMIN)
        at
org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356)
        at
org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272)
        at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933)
        at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097)
        at
org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102)
        at
org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198)
        at
org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933)
        at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175)
        at
org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879)

Here is some help for this command:
Grant users specific rights.
Syntax : grant <user> <permissions> [<table> [<column family> [<column
qualifier>]]

permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')

For example:

    hbase> grant 'bobsmith', 'RWXCA'
    hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'


hbase(main):003:0> create 'foo','bar'
0 row(s) in 1.0650 seconds


Thanks in advance,
Alex.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message