[
https://issues.apache.org/jira/browse/HBASE-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13580064#comment-13580064
]
Lars Hofhansl commented on HBASE-7860:
--------------------------------------
It would be nice to document that, since it is completely not obvious :)
> HBase authorization is reliant on Kerberos
> ------------------------------------------
>
> Key: HBASE-7860
> URL: https://issues.apache.org/jira/browse/HBASE-7860
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.4
> Reporter: Kevin Odell
>
> We are currently unable to use ACLs without having Kerberos setup. That is a
> pain for testing and environments that have other authentication methods that
> are not Kerberos-centric.
> safety valve:
> <property>
> <name>hbase.security.authorization</name>
> <value>true</value>
> </property>
> <property>
> <name>hbase.coprocessor.master.classes</name>
> <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
> <name>hbase.coprocessor.region.classes</name>
>
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> [root@cdh4-oozie-1 ~]# hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'null' (global, action=CREATE)
> at
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
> at
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
> at
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
> at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
> at
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> [root@cdh4-oozie-1 ~]# su hbase
> bash-4.1$ hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> permissions for user 'null' (global, action=CREATE)
> at
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
> at
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
> at
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
> at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
> at
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> It looks like we are relying on Kerberos to tell us who the user is, but
> since we are not using authentication, we are just passing NULL. We should
> be able to just rely on the local fs account.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
