initial hbase grants on a new secure hadoop cluster (without ranger)

Created by Lester Martin
Mar 05, 2017
3 min read

So you get your ops guy to stand up a "secure" (aka Kerberos-enabled) Hadoop cluster and then you try to create a table in the shell.  Low and behold, you then get slammed with an AccessDeniedException like shown below.

[student2@ip-172-30-0-42 ~]$ kinit
Password for student2@LAB.HORTONWORKS.NET: 
[student2@ip-172-30-0-42 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_432201241
Default principal: student2@LAB.HORTONWORKS.NET

Valid starting       Expires              Service principal
03/04/2017 23:28:58  03/05/2017 09:28:58  krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET
    renew until 03/11/2017 23:28:53
[student2@ip-172-30-0-42 ~]$ hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016

hbase(main):001:0> whoami
student2@LAB.HORTONWORKS.NET (auth:KERBEROS)
    groups: domain_users

hbase(main):003:0> create 's2test1', 'cf1'

ERROR:
 org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions (user=student2@LAB.HORTONWORKS.NET, scope=default, 
params=[namespace=default,table=default:s2test1,family=cf1],action=CREATE)

hbase(main):004:0>

Of course you do – you wanted a SECURE cluster; didn't ya?!?!  LOL!  So, how do you get past this?  Well, if you have Apache Ranger installed it gets a heck of a lot easier, but I don't.  No biggy, still pretty easy.

First, you need to become the hbase user and build a valid Kerberos ticket by doing something like the following.

[root@ip-172-30-0-42 ~]# su - hbase
Last login: Sun Mar  5 00:08:19 UTC 2017 on pts/3
[hbase@ip-172-30-0-42 ~]$ klist -ket /etc/security/keytabs/hbase.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (aes128-cts-hmac-sha1-96) 
   0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (des3-cbc-sha1) 
   0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (arcfour-hmac) 
   0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (aes256-cts-hmac-sha1-96) 
   0 12/16/2016 19:00:02 hbase-telus_training@LAB.HORTONWORKS.NET (des-cbc-md5) 
[hbase@ip-172-30-0-42 ~]$ kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-telus_training
[hbase@ip-172-30-0-42 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1017
Default principal: hbase-telus_training@LAB.HORTONWORKS.NET

Valid starting       Expires              Service principal
03/05/2017 00:10:17  03/05/2017 10:10:17  krbtgt/LAB.HORTONWORKS.NET@LAB.HORTONWORKS.NET
    renew until 03/12/2017 00:10:17
[hbase@ip-172-30-0-42 ~]$ hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016

hbase(main):001:0> whoami
hbase-telus_training@LAB.HORTONWORKS.NET (auth:KERBEROS)
    groups: hadoop

hbase(main):002:0>

Now you just need to give as much permissions out as you feel comfortable.  For my use case I want to create unique namespaces for each of my student accounts and then give each account admin-level rights to their namespace so they can create and manage tables in their own bubble.  Here's an example of doing that for just one account; student2.

hbase(main):007:0> create_namespace 's2'
0 row(s) in 0.0240 seconds

hbase(main):008:0> grant 'student2', 'RWXC', '@s2'
0 row(s) in 0.1380 seconds

hbase(main):007:0>

Now, we just need to get logged back in a student2 and verify a simple table add, put, and scan can be done.

hbase(main):009:0> exit
[hbase@ip-172-30-0-42 ~]$ exit
logout
[root@ip-172-30-0-42 ~]# kdestroy
kdestroy: No credentials cache found while destroying cache
[root@ip-172-30-0-42 ~]# su - student2
Last login: Sat Mar  4 23:28:43 UTC 2017 on pts/3
[student2@ip-172-30-0-42 ~]$ kinit
Password for student2@LAB.HORTONWORKS.NET: 
[student2@ip-172-30-0-42 ~]$ hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.5.3.0-37, rcb8c969d1089f1a34e9df11b6eeb96e69bcf878d, Tue Nov 29 18:48:22 UTC 2016

hbase(main):001:0> create 's2:test_table', 'fam'
0 row(s) in 1.4790 seconds

=> Hbase::Table - s2:test_table
hbase(main):002:0> put 's2:test_table', '1', 'fam:name', 'Lester'
0 row(s) in 0.1640 seconds

hbase(main):003:0> scan 's2:test_table'
ROW                      COLUMN+CELL                                                         
 1                       column=fam:name, timestamp=1488673828673, value=Lester              
1 row(s) in 0.0230 seconds

hbase(main):004:0>

Viola!!