Hi,
what Robert suggested sounds to me exactly what you would need. It would
help if you could provide your auth_to_local setting and the output of
hbase> whoami
Another way to test your auth_to_locals setting would be to execute:
% hadoop org.apache.hadoop.security.HadoopKerberosName
[email protected]
<mailto:[email protected]>
Please be aware that the rules are applied in order, so it is important
to have the rule from Robert before the default rule.
A more simple rule could also be:
RULE:[1:$1@$0]([email protected])s/.*/trafodion/
The above rule will only work for this principal/user. Put it as the
first line of your auth to local and use HadoopKerberosName to test if
it is working.
Regards,
Henning
Am 21/03/16 um 21:40 schrieb Roberta Marton:
Thanks for your suggestion. My property settings did have the second
rule defined but not the first.
However, it did not seem to help.
I tried setting the rule several other ways but nothing seems to
work. I still get the same behavior.
Roberta
*From:* Robert Levas [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Monday, March 21, 2016 11:21 AM
*To:* [email protected] <mailto:[email protected]>
*Subject:* Re: Trying to create hbase tables after enabling Kerberos
with Ambari
Hi Roberta…
It seems like you need an auth-to-local run set up to translate
[email protected]
<mailto:[email protected]>to trafodion.
To can do this by editing the hadoop.security.auth_to_local property
under HDFS->Configs->Advanced->Advanced core-site.
Adding the following rule should do the trick:
RULE:[1:$1@$0](.*[email protected])s/-robertaCluster@.*//
<mailto:.*[email protected]%29s/-robertaCluster@.*//>
You will need to add this rule to the ruleset before/above less
general rules like
RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//
<mailto:.*@TRAFKDC.COM%29s/@.*//>
After adding this rule, save the config and restart the recommended
services.
I hope this helps,
Rob
*From: *Roberta Marton <[email protected]
<mailto:[email protected]>>
*Reply-To: *"[email protected] <mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>
*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"[email protected] <mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>
*Subject: *Trying to create hbase tables after enabling Kerberos with
Ambari
I am trying to install Kerberos on top of my Hortonworks
installation. I have tried this with both versions 2.2 and 2.3 and
get similar results.
After I enable Kerberos, I create a Linux user called trafodion and
grant this user all HBase permissions.
I connect as trafodion but get permission errors when I try to create
a table.
Details:
[trafodion@myhost ~]$ whoami
trafodion
[trafodion@myhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: [email protected]
<mailto:[email protected]>
Valid starting Expires Service principal
03/21/16 16:39:33 03/22/16 16:39:33 krbtgt/[email protected]
<mailto:krbtgt/[email protected]>
renew until 03/21/16 16:39:33
hbase shell
hbase(main):002:0> whoami
[email protected]
<mailto:[email protected]>(auth:KERBEROS)OIw
2016-03-21 17:06:22,925 WARN [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster
hbase(main):003:0> user_permission
User Table,Family,Qualifier:Permission
trafodion hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
ambari-qa hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
2 row(s) in 1.7630 seconds
hbase(main):004:0> create 't1', 'f1', 'f2'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'trafodion-robertaCluster' (global,
action=CREATE)
I am able to perform ‘user_permission’ but not ‘create’
Any suggestion on how to proceed?
Roberta
