Hi,
what Robert suggested sounds to me exactly what you would need. It would
help if you could provide your auth_to_local setting and the output of
hbase> whoami
Another way to test your auth_to_locals setting would be to execute:
% hadoop org.apache.hadoop.security.HadoopKerberosName
trafodion-robertaclus...@trafkdc.com
<mailto:trafodion-robertaclus...@trafkdc.com>
Please be aware that the rules are applied in order, so it is important
to have the rule from Robert before the default rule.
A more simple rule could also be:
RULE:[1:$1@$0](trafidion-robertaclus...@trafkdc.com)s/.*/trafodion/
The above rule will only work for this principal/user. Put it as the
first line of your auth to local and use HadoopKerberosName to test if
it is working.
Regards,
Henning
Am 21/03/16 um 21:40 schrieb Roberta Marton:
Thanks for your suggestion. My property settings did have the second
rule defined but not the first.
However, it did not seem to help.
I tried setting the rule several other ways but nothing seems to
work. I still get the same behavior.
Roberta
*From:* Robert Levas [mailto:rle...@hortonworks.com
<mailto:rle...@hortonworks.com>]
*Sent:* Monday, March 21, 2016 11:21 AM
*To:* user@ambari.apache.org <mailto:user@ambari.apache.org>
*Subject:* Re: Trying to create hbase tables after enabling Kerberos
with Ambari
Hi Roberta…
It seems like you need an auth-to-local run set up to translate
trafodion-robertaclus...@trafkdc.com
<mailto:trafodion-robertaclus...@trafkdc.com>to trafodion.
To can do this by editing the hadoop.security.auth_to_local property
under HDFS->Configs->Advanced->Advanced core-site.
Adding the following rule should do the trick:
RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//
<mailto:.*-robertaclus...@trafkdc.com%29s/-robertaCluster@.*//>
You will need to add this rule to the ruleset before/above less
general rules like
RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//
<mailto:.*@TRAFKDC.COM%29s/@.*//>
After adding this rule, save the config and restart the recommended
services.
I hope this helps,
Rob
*From: *Roberta Marton <roberta.mar...@esgyn.com
<mailto:roberta.mar...@esgyn.com>>
*Reply-To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>"
<user@ambari.apache.org <mailto:user@ambari.apache.org>>
*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>"
<user@ambari.apache.org <mailto:user@ambari.apache.org>>
*Subject: *Trying to create hbase tables after enabling Kerberos with
Ambari
I am trying to install Kerberos on top of my Hortonworks
installation. I have tried this with both versions 2.2 and 2.3 and
get similar results.
After I enable Kerberos, I create a Linux user called trafodion and
grant this user all HBase permissions.
I connect as trafodion but get permission errors when I try to create
a table.
Details:
[trafodion@myhost ~]$ whoami
trafodion
[trafodion@myhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: trafodion-robertaclus...@trafkdc.com
<mailto:trafodion-robertaclus...@trafkdc.com>
Valid starting Expires Service principal
03/21/16 16:39:33 03/22/16 16:39:33 krbtgt/trafkdc....@trafkdc.com
<mailto:krbtgt/trafkdc....@trafkdc.com>
renew until 03/21/16 16:39:33
hbase shell
hbase(main):002:0> whoami
trafodion-robertaclus...@trafkdc.com
<mailto:trafodion-robertaclus...@trafkdc.com>(auth:KERBEROS)OIw
2016-03-21 17:06:22,925 WARN [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster
hbase(main):003:0> user_permission
User Table,Family,Qualifier:Permission
trafodion hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
ambari-qa hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]
2 row(s) in 1.7630 seconds
hbase(main):004:0> create 't1', 'f1', 'f2'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user 'trafodion-robertaCluster' (global,
action=CREATE)
I am able to perform ‘user_permission’ but not ‘create’
Any suggestion on how to proceed?
Roberta
