hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Yu <yuzhih...@gmail.com>
Subject Re: Create permission in global scope disappeared after HMaster restart
Date Thu, 03 Jul 2014 01:54:25 GMT
Have you read http://hbase.apache.org/book.html#d3314e6312 ?

For secure hbase deployments I worked with, kerberos has been the norm.

Secure hbase experts may have some insight.

Cheers


On Wed, Jul 2, 2014 at 6:47 PM, Weichen YE <yeweichen2010@gmail.com> wrote:

> Hi, Ted,
>
>       Thank you for you reply. I`m using hbase-0.94.2-cdh4.2.0.
>       I have two HMasters for HA. Once the active HMaster restart or
> failover, my user will lose its permission to create new table. It seems
> that, by the shell command "grant 'username','RWCXA' ", users get only some
> kind of "temporary permission" for "C" and "A" in global scope.
>       I know if the user is set as "hbase.superuser" in hbase-site.xml. it
> will get a permanent permission in global scope. But what I want is just to
> give a user the permission to create a new table, so I just use '"grant
> 'user', 'RWC'" to do this. It is really strange that user lose its create
> permission after the active HMaster restart.
>
> btw, this is a part of my hbase-site.xml:
>
> <property>
>     <name>hbase.security.authentication</name>
>     <value>simple</value>
> </property>
> <property>
>     <name>hbase.security.authorization</name>
>     <value>true</value>
> </property>
> <property>
>     <name>hbase.coprocessor.master.classes</name>
>     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>     <name>hbase.coprocessor.region.classes</name>
>
>
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>     <name>hbase.rpc.engine</name>
>     <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
> </property>
>
>
>
>
>
>
> 2014-07-03 0:07 GMT+08:00 Ted Yu <yuzhihong@gmail.com>:
>
> > What specific hbase release are you using ?
> > Was there only one HMaster before the restart ?
> >
> > Cheers
> >
> >
> > On Tue, Jul 1, 2014 at 10:57 PM, Weichen YE <yeweichen2010@gmail.com>
> > wrote:
> >
> > > Hi, all,
> > >
> > > I have been using HBase 0.94 . Now I use the following hbase shell
> > command
> > > to give the user "Tom" the create and admin permission in global scope:
> > >
> > >                         hbase(main):001:0> grant 'Tom','RWCXA'
> > >
> > > After that, the user 'Tom' have the permission to create new table, we
> > > create a new table 'Tom-Table'. now in "_acl_" table we can see the
> > > following two rows
> > >
> > > ROW                                   COLUMN+CELL
> > >
> > >
> > >  Tom-Table                          column=l:Tom,
> > timestamp=1404279643504,
> > > value=RWXCA
> > >
> > >  _acl_                                   column=l:Tom,
> > > timestamp=1404279584901, value=RWCXA
> > >
> > > Now the problem is, after I restart the HMaster, the user 'Tom' lose
> the
> > > ability to create a new table. The error log shows:"ERROR:
> > > org.apache.hadoop.hbase.security.AccessDeniedException:
> > > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> > > permissions for user 'Tom' (global, action=CREATE)"
> > >
> > > So, it seems that user "Tom" can not keep the create permission in
> global
> > > scope after HMaster restarted. Anyone knows how to fix this? Or is
> there
> > > another way to give a user permanent create permission in global scope?
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message