[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281599#comment-13281599 ]
Laxman commented on HBASE-6068: ------------------------------- Just tried out these apis from Java client in our secure cluster. Scenario: * Create a table 'test' and grant admin 'A' permission to 'testuser' * Try the admin operations (isTableEnabled, isTableDisabled, enableTable, disableTable) from java client There are actually two issues. 1) isTableEnabled & isTableDisabled - Failed on client with the following error (ZK No Auth) as mentioned in this issue. {noformat} 12/05/22 17:44:49 WARN zookeeper.ZKUtil: hconnection-0x3377326f2010023 Unable to get data of znode /hbase/table/test org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/table/test at org.apache.zookeeper.KeeperException.create(KeeperException.java:113) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1131) at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.java:264) at org.apache.hadoop.hbase.zookeeper.ZKUtil.getData(ZKUtil.java:467) at org.apache.hadoop.hbase.zookeeper.ZKTable.getTableState(ZKTable.java:109) at org.apache.hadoop.hbase.zookeeper.ZKTable.isEnabledTable(ZKTable.java:283) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.testTableOnlineState(HConnectionManager.java:776) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.isTableEnabled(HConnectionManager.java:729) at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:873) at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:864) {noformat} 2) enableTable & disableTable - Failed on master with following error (HBase - access denied). {noformat} Exception in thread "main" org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'testuser' (global, action=ADMIN) at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:368) at org.apache.hadoop.hbase.security.access.AccessController.preDisableTable(AccessController.java:578) at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preDisableTable(MasterCoprocessorHost.java:351) at org.apache.hadoop.hbase.master.HMaster.disableTable(HMaster.java:1220) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:372) at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1376) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:90) at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:79) at org.apache.hadoop.hbase.client.HBaseAdmin.disableTableAsync(HBaseAdmin.java:763) at org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(HBaseAdmin.java:786) {noformat} > Secure HBase cluster : Client not able to call some admin APIs > -------------------------------------------------------------- > > Key: HBASE-6068 > URL: https://issues.apache.org/jira/browse/HBASE-6068 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.94.0 > Reporter: Anoop Sam John > > In case of secure cluster, we allow the HBase clients to read the zk nodes by > providing the global read permissions to all for certain nodes. These nodes > are the master address znode, root server znode and the clusterId znode. In > ZKUtil.createACL() , we can see these node names are specially handled. > But there are some other client side admin APIs which makes a read call into > the zookeeper from the client. This include the isTableEnabled() call (May be > some other. I have seen this). Here the client directly reads a node in the > zookeeper ( node created for this table ) and the data is matched to know > whether this is enabled or not. > Now in secure cluster case any client can read zookeeper nodes which it needs > for its normal operation like the master address and root server address. > But what if the client calls this API? [isTableEnaled () ]. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira