[
https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281599#comment-13281599
]
Laxman commented on HBASE-6068:
-------------------------------
Just tried out these apis from Java client in our secure cluster.
Scenario:
* Create a table 'test' and grant admin 'A' permission to 'testuser'
* Try the admin operations (isTableEnabled, isTableDisabled, enableTable,
disableTable) from java client
There are actually two issues.
1) isTableEnabled & isTableDisabled - Failed on client with the following error
(ZK No Auth) as mentioned in this issue.
{noformat}
12/05/22 17:44:49 WARN zookeeper.ZKUtil: hconnection-0x3377326f2010023 Unable
to get data of znode /hbase/table/test
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth
for /hbase/table/test
at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1131)
at
org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.java:264)
at org.apache.hadoop.hbase.zookeeper.ZKUtil.getData(ZKUtil.java:467)
at org.apache.hadoop.hbase.zookeeper.ZKTable.getTableState(ZKTable.java:109)
at org.apache.hadoop.hbase.zookeeper.ZKTable.isEnabledTable(ZKTable.java:283)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.testTableOnlineState(HConnectionManager.java:776)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.isTableEnabled(HConnectionManager.java:729)
at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:873)
at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:864)
{noformat}
2) enableTable & disableTable - Failed on master with following error (HBase -
access denied).
{noformat}
Exception in thread "main"
org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'testuser' (global, action=ADMIN)
at
org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:368)
at
org.apache.hadoop.hbase.security.access.AccessController.preDisableTable(AccessController.java:578)
at
org.apache.hadoop.hbase.master.MasterCoprocessorHost.preDisableTable(MasterCoprocessorHost.java:351)
at
org.apache.hadoop.hbase.master.HMaster.disableTable(HMaster.java:1220)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:372)
at
org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1376)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at
org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:90)
at
org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:79)
at
org.apache.hadoop.hbase.client.HBaseAdmin.disableTableAsync(HBaseAdmin.java:763)
at
org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(HBaseAdmin.java:786)
{noformat}
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by
> providing the global read permissions to all for certain nodes. These nodes
> are the master address znode, root server znode and the clusterId znode. In
> ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into
> the zookeeper from the client. This include the isTableEnabled() call (May be
> some other. I have seen this). Here the client directly reads a node in the
> zookeeper ( node created for this table ) and the data is matched to know
> whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs
> for its normal operation like the master address and root server address.
> But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
