hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Subbiah <suresh.subbia...@gmail.com>
Subject Re: Unexpected behaviour when VisibilityController coprocessor is used
Date Mon, 12 Oct 2015 20:14:53 GMT
Hi Ted,

I understand that using VisibilityController on an unsercure cluster is of
limited value. I am still in the early stages of my task. I am logged in as
HBase super user and was simply checking if rows could be accessed.

With my colleague's help we did get the cluster enabled for secure HBase
with kerberos. I repeated the test to get the same result. Our cluster is
on 1.0. Do you think I may be doing something incorrectly? What information
can I send to help ensure that I have not made a mistake.

Thanks
Suresh

hbase shell
15/10/12 14:35:09 INFO Configuration.deprecation: hadoop.native.lib is
deprecated. Instead, use io.native.lib.available
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.0.0-cdh5.4.4, rUnknown, Mon Jul  6 16:59:55 PDT 2015

hbase(main):001:0> create 'visibilityTest', 'f1'
0 row(s) in 0.7780 seconds

=> Hbase::Table - visibilityTest
hbase(main):002:0> put 'visibilityTest', 'r1', 'f1:c1', 'value1'
0 row(s) in 0.1300 seconds

hbase(main):003:0> deleteall 'visibilityTest', 'r1'
0 row(s) in 0.0330 seconds

hbase(main):004:0> put 'visibilityTest', 'r1', 'f1:c1', 'value2'
0 row(s) in 0.0150 seconds

hbase(main):005:0> scan 'visibilityTest'
ROW                   COLUMN+CELL

0 row(s) in 0.0550 seconds

hbase(main):006:0> scan 'visibilityTest', {RAW=>TRUE}
ROW                   COLUMN+CELL

 r1                   column=f1:, timestamp=1444660561138,
type=DeleteFamily
 r1                   column=f1:c1, timestamp=1444660576868, value=value2

1 row(s) in 0.0370 seconds

-----------------------------------------------------
<property>
    <name>hbase.coprocessor.master.classes</name>

<value>org.apache.hadoop.hbase.security.visibility.VisibilityController,org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>

<property>
    <name>hbase.coprocessor.region.classes</name>
 <value>org.apache.hadoop.hbase.security.visibility.VisibilityController,org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController</value>
  </property>

--------------------------------------------------------




On Sat, Oct 10, 2015 at 9:51 PM, Ted Yu <yuzhihong@gmail.com> wrote:

> To my understanding, VisibilityController is used in a secure cluster.
> Without security, how do you enforce that only select user(s) can access
> certain cells ?
>
> Please see the following sections in refguide:
>
> http://hbase.apache.org/book.html#hbase.secure.configuration
>
> http://hbase.apache.org/book.html#_server_side_configuration_for_simple_user_access_operation
>
> On Sat, Oct 10, 2015 at 7:40 PM, Suresh Subbiah <
> suresh.subbiah60@gmail.com>
> wrote:
>
> > Hi Ted,
> >
> > Thank you for your response.
> > I found a machine with HBase 1.0.0 and tried the script with all 6
> coprocs
> > you listed (2 in master, and 4 in RS). I still do not see the row after
> the
> > second scan.
> >
> > However my cluster is not secure enabled I think. Is that necessary? I am
> > not sure how to do that, though I can ask other members of my team and
> try
> > it if that will help.
> >
> > It will be ideal if we could get this to work on a 1.0 based version.
> > Moving to 1.1 will take more time since we have some dependencies.
> >
> > Thank you
> > Suresh
> >
> > 15/10/10 19:20:44 INFO Configuration.deprecation: hadoop.native.lib is
> > deprecated. Instead, use io.native.lib.available
> > HBase Shell; enter 'help<RETURN>' for list of supported commands.
> > Type "exit<RETURN>" to leave the HBase Shell
> > Version 1.0.0-cdh5.4.4, rUnknown, Mon Jul  6 16:59:55 PDT 2015
> >
> > *hbase(main):001:0> create 'visibilityTest', 'f1' *
> > *0 row(s) in 0.5460 seconds*
> >
> > *=> Hbase::Table - visibilityTest*
> > *hbase(main):002:0> put 'visibilityTest', 'r1', 'f1:c1', 'value1' *
> > *0 row(s) in 0.0670 seconds*
> >
> > *hbase(main):003:0> deleteall 'visibilityTest', 'r1' *
> > *0 row(s) in 0.0090 seconds*
> >
> > *hbase(main):004:0> put 'visibilityTest', 'r1', 'f1:c1', 'value2'*
> > *0 row(s) in 0.0040 seconds*
> >
> > *hbase(main):005:0> scan 'visibilityTest'*
> > *ROW                   COLUMN+CELL
> >       *
> > *0 row(s) in 0.0160 seconds*
> >
> > *hbase(main):006:0> scan 'visibilityTest', {RAW=>TRUE}*
> > *ROW                   COLUMN+CELL
> >       *
> > * r1                   column=f1:, timestamp=1444530064056,
> > type=DeleteFamily    *
> > * r1                   column=f1:c1, timestamp=1444530064084,
> value=value2
> >       *
> > *1 row(s) in 0.0580 seconds*
> >
> > *hbase(main):007:0> exit*
> >
> >
> > On Sat, Oct 10, 2015 at 7:26 PM, Ted Yu <yuzhihong@gmail.com> wrote:
> >
> > > I tried the sequence of commands from your example on a secure 1.1.2
> > > cluster with the following config:
> > >
> > >     <property>
> > >       <name>hbase.coprocessor.master.classes</name>
> > >
> > >
> >
> <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
> > >     </property>
> > >     <property>
> > >       <name>hbase.coprocessor.region.classes</name>
> > >
> > >
> >
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
> > >     </property>
> > >
> > > I got:
> > >
> > > hbase(main):005:0> scan 'visibilityTest'
> > > ROW                                           COLUMN+CELL
> > >  r1                                           column=f1:c1,
> > > timestamp=1444522994981, value=value2
> > > 1 row(s) in 0.1020 seconds
> > >
> > > Can you try again with 0.98.15 release whose vote passed Friday to see
> if
> > > what you observed can be reproduced ?
> > >
> > > Cheers
> > >
> > > On Sat, Oct 10, 2015 at 3:58 PM, Suresh Subbiah <
> > > suresh.subbiah60@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > When I run the following script from hbase shell the last scan
> returns
> > no
> > > > rows
> > > >
> > > > create 'visibilityTest', 'f1'
> > > > put 'visibilityTest', 'r1', 'f1:c1', 'value1'
> > > > deleteall 'visibilityTest', 'r1'
> > > > put 'visibilityTest', 'r1', 'f1:c1', 'value2'
> > > > scan 'visibilityTest'
> > > >
> > > > *hbase(main):013:0> scan 'visibilityTest'*
> > > > *ROW                   COLUMN+CELL
> > > >       *
> > > > *0 row(s) in 0.0100 seconds*
> > > >
> > > >
> > > > However if I run
> > > > scan 'visibilityTest' , {RAW=>TRUE}
> > > >
> > > > I see that the second row that I put is indeed there and has a
> > timestamp
> > > > value higher that the previous delete
> > > >
> > > > *hbase(main):014:0> scan 'visibilityTest', {RAW=>TRUE}*
> > > > *ROW                   COLUMN+CELL
> > > >       *
> > > > * r1                   column=f1:, timestamp=1444516578296,
> > > > type=DeleteFamily    *
> > > > * r1                   column=f1:c1, timestamp=1444516647655,
> > > value=value2
> > > >       *
> > > > *1 row(s) in 0.0110 seconds*
> > > >
> > > >
> > > >
> > > > This is on hbase 0.98.6.  Problem is seen only when hbase-site.xml
> has
> > > > these lines. No other coprocessors were used during this test.
> > > >
> > > > <property>
> > > >     <name>hbase.coprocessor.region.classes</name>
> > > >
> > > >
> > > >
> > >
> >
> <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
> > > >    </property>
> > > >    <property>
> > > >      <name>hbase.coprocessor.master.classes</name>
> > > >
> > > >
> > > >
> > >
> >
> <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
> > > >    </property>
> > > >    <property>
> > > >      <name>hfile.format.version</name>
> > > >      <value>3</value>
> > > >    </property>
> > > >
> > > > Any suggestions of what I may be doing incorrectly? Or is this a bug?
> > > >
> > > > Thank you
> > > > Suresh
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message