Gary and Andrew, Many thanks for your help. Now we can move a step forward. :-)
Demai On Fri, Jun 20, 2014 at 10:26 AM, Gary Helmling <ghelml...@gmail.com> wrote: > Hi Demai, > > Yes, even when using hbase.security.authentication=simple in 0.94, you need > to use SecureRpcEngine. The default WritableRpcEngine does not pass the > username to the server at all, which can obviously cause problems for > authorization. > > --gh > > > On Fri, Jun 20, 2014 at 10:21 AM, Demai Ni <nid...@gmail.com> wrote: > > > hi, Andrew, > > > > I didn't setup the keytabs as the current setup is using a firewall > instead > > of kerberos. so only use the authorization feature of hbase, and not > > authentication at this moment. A long story about why. :-( > > > > Anyway, I got a tip here > > > > > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.3.0/CDH4-Security-Guide/cdh4sg_topic_8_2.html > > and add this property on hbase-site.xml (I think that is different > between > > 94 and 98) > > > > <property> > > <name>hbase.rpc.engine</name> > > <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> > > </property> > > > > And now hbase can start and I am able to grant auth like: > > ---------- > > hbase(main):004:0> grant 'dn','R','t1_dn' > > 0 row(s) in 0.0700 seconds > > > > hbase(main):005:0> user_permission 't1_dn' > > User > > Table,Family,Qualifier:Permission > > demai t1_dn,,: [Permission: > > actions=READ,WRITE] > > dn t1_dn,,: [Permission: > > actions=READ] > > > > --------- > > > > Demai > > > > > > On Fri, Jun 20, 2014 at 10:11 AM, Andrew Purtell <apurt...@apache.org> > > wrote: > > > > > Have you set up keytabs for the server processes? > > > > > > > > > On Thu, Jun 19, 2014 at 9:40 PM, Demai Ni <nid...@gmail.com> wrote: > > > > > > > hi, folks, > > > > > > > > I am able to recreate the same error on another single node cluster. > > > > > > > > RS log pasted here: http://pastebin.com/iP9Mrz2T > > > > and > > > > hbase-site.xml is here: http://pastebin.com/ppnqfwGR > > > > > > > > the only thing changes is by adding the following property per > > > > http://hbase.apache.org/book/hbase.accesscontrol.configuration.html > > > > <property> > > > > <name>hbase.coprocessor.master.classes</name> > > > > > > > > > > <value>org.apache.hadoop.hbase.security.access.AccessController</value> > > > > </property> > > > > <property> > > > > <name>hbase.coprocessor.region.classes</name> > > > > <value>org.apache.hadoop.hbase.security.token.TokenProvider, > > > > > > > org.apache.hadoop.hbase.security.access.AccessController</value> > > > > </property> > > > > > > > > the same setting works on another hbase 98.2 cluster. So I am > wondering > > > > what's missing here. > > > > > > > > BTW, I didn't follow the instruction here: > > > > http://hbase.apache.org/book/zk.sasl.auth.html for zookeeper as no > > > > Authentication is needed on this cluster. > > > > > > > > Any suggestion or pointers? > > > > > > > > Demai > > > > > > > > > > > > On Thu, Jun 19, 2014 at 2:59 PM, Enoch Hsu <e...@us.ibm.com> wrote: > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > I am running HBase 0.94.3 and trying to get ACL working on a single > > > node > > > > > cluster. I followed the steps in > > > > > > http://hbase.apache.org/book/hbase.accesscontrol.configuration.html > > > step > > > > > 8.4.3 and added those 2 properties to my hbase-site.xml > > > > > After stopping and starting hbase, my regionserver is dying with > > > > following > > > > > error/stack trace > > > > > > > > > > 2014-06-19 14:51:00,430 WARN > > > > > org.apache.hadoop.hbase.regionserver.handler.OpenRegionHandler: > > > Exception > > > > > running postOpenDeployTasks; region=1028785192 > > > > > > org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: > > > > Failed > > > > > 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: > > > > > Insufficient permissions (table=-ROOT-, family: info, action=WRITE) > > > > > at > > > > > > > > > > > > > > > org.apache.hadoop.hbase.security.access.AccessController.requirePermission > > > > > (AccessController.java:471) > > > > > at > > > > org.apache.hadoop.hbase.security.access.AccessController.prePut > > > > > (AccessController.java:878) > > > > > at > > > > > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.prePut > > > > > (RegionCoprocessorHost.java:800) > > > > > at > > > org.apache.hadoop.hbase.regionserver.HRegion.doPreMutationHook > > > > > (HRegion.java:2046) > > > > > at org.apache.hadoop.hbase.regionserver.HRegion.batchMutate > > > > > (HRegion.java:2022) > > > > > at org.apache.hadoop.hbase.regionserver.HRegionServer.multi > > > > > (HRegionServer.java:3573) > > > > > at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown > > Source) > > > > > at sun.reflect.DelegatingMethodAccessorImpl.invoke > > > > > (DelegatingMethodAccessorImpl.java:37) > > > > > at java.lang.reflect.Method.invoke(Method.java:611) > > > > > at > org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call > > > > > (WritableRpcEngine.java:364) > > > > > at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run > > > > > (HBaseServer.java:1426) > > > > > : 1 time, servers with issues: bdvm081.svl.ibm.com:60020, > > > > > at org.apache.hadoop.hbase.client.HConnectionManager > > > > > $HConnectionImplementation.processBatchCallback > > > > > (HConnectionManager.java:1624) > > > > > at org.apache.hadoop.hbase.client.HConnectionManager > > > > > > $HConnectionImplementation.processBatch(HConnectionManager.java:1400) > > > > > at org.apache.hadoop.hbase.client.HTable.flushCommits > > > > > (HTable.java:915) > > > > > at > > org.apache.hadoop.hbase.client.HTable.doPut(HTable.java:771) > > > > > at > org.apache.hadoop.hbase.client.HTable.put(HTable.java:746) > > > > > at org.apache.hadoop.hbase.catalog.MetaEditor.put > > > > > (MetaEditor.java:99) > > > > > at > > org.apache.hadoop.hbase.catalog.MetaEditor.putToCatalogTable > > > > > (MetaEditor.java:89) > > > > > at > org.apache.hadoop.hbase.catalog.MetaEditor.updateLocation > > > > > (MetaEditor.java:260) > > > > > at > > > org.apache.hadoop.hbase.catalog.MetaEditor.updateMetaLocation > > > > > (MetaEditor.java:222) > > > > > at > > > > > > > org.apache.hadoop.hbase.regionserver.HRegionServer.postOpenDeployTasks > > > > > (HRegionServer.java:1757) > > > > > at > > > org.apache.hadoop.hbase.regionserver.handler.OpenRegionHandler > > > > > $PostOpenDeployTasksThread.run(OpenRegionHandler.java:242) > > > > > > > > > > Any ideas on what is causing this and how to fix? > > > > > > > > > > I also tried adding hbase.superuser but that also did not work. > > > > > > > > > > Thanks, > > > > > Enoch Hsu > > > > > > > > > > > > > > > > -- > > > Best regards, > > > > > > - Andy > > > > > > Problems worthy of attack prove their worth by hitting back. - Piet > Hein > > > (via Tom White) > > > > > >
