ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: doAs() with Ranger HBase plugin
Date Thu, 17 Dec 2015 19:22:38 GMT

Ranger plugin uses the same user/group made available by the component. So in your case, Hbase
is getting the service user, which I assume is you “springboot” app user.

You might want to do couple of things:
Check Hbase logs to see if there are any errors (like impersonation not allowed for your service
Make sure your service user is allowed to act like proxy user?
Core-site.xml for hbase:









From:  Chris Gent <chris.gent@bigdatapartnership.com>
Reply-To:  <user@ranger.incubator.apache.org>
Date:  Thursday, December 17, 2015 at 5:46 AM
To:  <user@ranger.incubator.apache.org>
Subject:  doAs() with Ranger HBase plugin


For a client we're building a system that calls the HBase Java API from within our own springboot
app. The goal is to be able to audit and authorize data access to the various user requests
being made against HBase (possibly down to column family level) using Ranger.

The solution is based on how this same process appears to work in e.g. Oozie

A snippet of the application code looks like this where doAsUser is the end user's username:

UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUser, UserGroupInformation.getLoginUser());

try {
      ugi.doAs(new PriviledgedExceptionAction<Void>() {
          public Void run() throws Exception {
                LOGGER.info("HBase put as user " + ugi.getShortUserName());
                return null;


When we run the application any user supplied in the doAsUser will successfully write to HBase
even if no policy is defined in Ranger for that user. When I look in the audit logs it is
the application service user that is being recorded as making the writes.

I should note that the cluster is kerberized and we are on HDP2.3.

Does anyone know how to get this working for HBase?

If I look at the sample authorizer on https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
then I think our approach would work against the sample authorizer described. Is the HBase
plugin behaving differently?

Thanks in advance for any assistance with this problem.

Christopher Gent


This email (including attachments) is confidential. If you are not the intended recipient,
notify the sender immediately, delete this email from your system and do not disclose or use
for any purpose.

Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United Kingdom
Big Data Partnership Limited is a company registered in England & Wales with Company No

View raw message