[ https://issues.apache.org/jira/browse/HBASE-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579634#comment-13579634 ]
Gary Helmling commented on HBASE-7860: -------------------------------------- Hi Kevin, Make sure that configuration is present on both the client and server side (and restart the servers if they were previously running without it). The error you posted looks like a client/server mismatch. Also, for reference, you can look at the {{org.apache.hadoop.hbase.security.access.TestAccessController}} source code. It sets up an in-JVM mini cluster for testing authorization with SecureRpcEngine, but with only simple auth (no kerberos). > HBase authorization is reliant on Kerberos > ------------------------------------------ > > Key: HBASE-7860 > URL: https://issues.apache.org/jira/browse/HBASE-7860 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.94.4 > Reporter: Kevin Odell > > We are currently unable to use ACLs without having Kerberos setup. That is a > pain for testing and environments that have other authentication methods that > are not Kerberos-centric. > safety valve: > <property> > <name>hbase.security.authorization</name> > <value>true</value> > </property> > <property> > <name>hbase.coprocessor.master.classes</name> > <value>org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > <property> > <name>hbase.coprocessor.region.classes</name> > > <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > [root@cdh4-oozie-1 ~]# hbase shell > hbase(main):001:0> create 't1', 'cf1' > ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > permissions for user 'null' (global, action=CREATE) > at > org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402) > at > org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525) > at > org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89) > at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364) > at > org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345) > [root@cdh4-oozie-1 ~]# su hbase > bash-4.1$ hbase shell > hbase(main):001:0> create 't1', 'cf1' > ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > permissions for user 'null' (global, action=CREATE) > at > org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402) > at > org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525) > at > org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89) > at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364) > at > org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345) > It looks like we are relying on Kerberos to tell us who the user is, but > since we are not using authentication, we are just passing NULL. We should > be able to just rely on the local fs account. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira