initial hbase grants on a new secure hadoop cluster (without ranger)
So you get your ops guy to stand up a "secure" (aka Kerberos-enabled) Hadoop cluster and then you try to create a table in the shell. Low and behold, you then get slammed with an AccessDeniedException
like shown below.
[student2@ip-172-30-0-42 ~]$ kinit Password for student2@LAB.HORTONWORKS.NET: [student2@ip-172-30-0-42 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_432201241 Default principal: student2@LAB.HORTONWORKS.NET Valid starting Expires Service principal 03/04/2017 23:28:58 03/05/2017 09:28:58 krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET renew until 03/11/2017 23:28:53 [student2@ip-172-30-0-42 ~]$ hbase shell HBase Shell; enter 'help<RETURN>' for list of supported commands. Type "exit<RETURN>" to leave the HBase Shell Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016 hbase(main):001:0> whoami student2@LAB.HORTONWORKS.NET (auth:KERBEROS) groups: domain_users hbase(main):003:0> create 's2test1', 'cf1' ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=student2@LAB.HORTONWORKS.NET, scope=default, params=[namespace=default,table=default:s2test1,family=cf1],action=CREATE) hbase(main):004:0>
Of course you do – you wanted a SECURE cluster; didn't ya?!?! LOL! So, how do you get past this? Well, if you have Apache Ranger installed it gets a heck of a lot easier, but I don't. No biggy, still pretty easy.
First, you need to become the hbase
user and build a valid Kerberos ticket by doing something like the following.
[root@ip-172-30-0-42 ~]# su - hbase Last login: Sun Mar 5 00:08:19 UTC 2017 on pts/3 [hbase@ip-172-30-0-42 ~]$ klist -ket /etc/security/keytabs/hbase.headless.keytab Keytab name: FILE:/etc/security/keytabs/hbase.headless.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (aes128-cts-hmac-sha1-96) 0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (des3-cbc-sha1) 0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (arcfour-hmac) 0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (aes256-cts-hmac-sha1-96) 0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (des-cbc-md5) [hbase@ip-172-30-0-42 ~]$ kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-telus_training [hbase@ip-172-30-0-42 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1017 Default principal: hbase-telus_training@LAB.HORTONWORKS.NET Valid starting Expires Service principal 03/05/2017 00:10:17 03/05/2017 10:10:17 krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET renew until 03/12/2017 00:10:17 [hbase@ip-172-30-0-42 ~]$ hbase shell HBase Shell; enter 'help<RETURN>' for list of supported commands. Type "exit<RETURN>" to leave the HBase Shell Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016 hbase(main):001:0> whoami hbase-telus_training@LAB.HORTONWORKS.NET (auth:KERBEROS) groups: hadoop hbase(main):002:0>
Now you just need to give as much permissions out as you feel comfortable. For my use case I want to create unique namespaces for each of my student accounts and then give each account admin-level rights to their namespace so they can create and manage tables in their own bubble. Here's an example of doing that for just one account; student2
.
hbase(main):007:0> create_namespace 's2' 0 row(s) in 0.0240 seconds hbase(main):008:0> grant 'student2', 'RWXC', '@s2' 0 row(s) in 0.1380 seconds hbase(main):007:0>
Now, we just need to get logged back in a student2
and verify a simple table add, put, and scan can be done.
hbase(main):009:0> exit [hbase@ip-172-30-0-42 ~]$ exit logout [root@ip-172-30-0-42 ~]# kdestroy kdestroy: No credentials cache found while destroying cache [root@ip-172-30-0-42 ~]# su - student2 Last login: Sat Mar 4 23:28:43 UTC 2017 on pts/3 [student2@ip-172-30-0-42 ~]$ kinit Password for student2@LAB.HORTONWORKS.NET: [student2@ip-172-30-0-42 ~]$ hbase shell HBase Shell; enter 'help<RETURN>' for list of supported commands. Type "exit<RETURN>" to leave the HBase Shell Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016 hbase(main):001:0> create 's2:test_table', 'fam' 0 row(s) in 1.4790 seconds => Hbase::Table - s2:test_table hbase(main):002:0> put 's2:test_table', '1', 'fam:name', 'Lester' 0 row(s) in 0.1640 seconds hbase(main):003:0> scan 's2:test_table' ROW COLUMN+CELL 1 column=fam:name, timestamp=1488673828673, value=Lester 1 row(s) in 0.0230 seconds hbase(main):004:0>
Viola!!