Hi Bosco! Audits show that it denying hbase user for writing into hadoop. audits are as follow
ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase hadoopdev hdfs /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase hadoopdev hdfs /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl 127.0.0.11--10/11/2015 11:05:11 PMhbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PMhbase hadoopdev hdfs /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PMhbase hadoopdev hdfs /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53 PM hbase hadoopdev hdfs /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase hadoopdev hdfs /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase hadoopdev hdfs /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> wrote: > Yes, you can run as root if you want to. In production it is a good > practice to have separate users, so you can manage the access to the shell > accordingly. Also, generally it is not recommended to run user applications > at user “root”. A rogue application can cause unimaginable damage in your > network. > > For your current problem, can you check the Ranger audits in the Ranger > Admin page and see what is the user that is getting denied? > > Thanks > > Bosco > > > From: Aneela Saleem > Reply-To: <[email protected]> > Date: Sunday, October 11, 2015 at 11:36 AM > > To: <[email protected]> > Subject: Re: Issue while enabling hbase plugin > > Hi Bosco! > > Same issue after following your instruction. Is it possible to run all > services using root user without conflicts? that will be easy to manage and > understand at initial stage. > > Thanks > > On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> > wrote: > >> If you are using “root”, then you should provide the user “root” the full >> permission. You can do that by going to the Hbase repo and pick the default >> policy with “*,*,*” and add user “root” to it. >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem >> Reply-To: <[email protected]> >> Date: Sunday, October 11, 2015 at 11:18 AM >> To: <[email protected]> >> >> Subject: Re: Issue while enabling hbase plugin >> >> Hi Ramesh! >> >> I started hbase services using hbase user but facing the same issue. >> >> >> >> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]> >> wrote: >> >>> Zookeeper will be user “zookeeper” and hdfs service like namenode, >>> secondary name will be hdfs, respective core components of hadoop will have >>> it owner user who will be running the services. Refer the documentation in >>> apache. >>> >>> From: Aneela Saleem <[email protected]> >>> Reply-To: "[email protected]" < >>> [email protected]> >>> Date: Sunday, October 11, 2015 at 10:51 AM >>> To: "[email protected]" <[email protected] >>> > >>> Subject: Re: Issue while enabling hbase plugin >>> >>> Thanks Ramesh. >>> >>> But what about other services like zookeeper, hadoop etc >>> >>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]> >>> wrote: >>> >>>> Aneela, >>>> >>>> Are you starting the hbase master / region server as “root” user, it >>>> should be “hbase” user who has the necessary permission to do so. So after >>>> enabling ranger hbase plugin start the services as “hbase” user >>>> >>>> Regards, >>>> Ramesh >>>> >>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> >>>> wrote: >>>> >>>> Hi! >>>> >>>> I am trying to enable hbase plugin but getting following exception when >>>> i start hbase >>>> >>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] >>>> procedure.CreateTableProcedure: Failed rollback attempt >>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace* >>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: >>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: >>>> Insufficient permissions for user ‘root',action: delete, >>>> tableName:hbase:meta, family:info, column:* >>>> * at >>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)* >>>> * at >>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)* >>>> * at >>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)* >>>> * at >>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)* >>>> * at >>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)* >>>> * at >>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)* >>>> * at >>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)* >>>> >>>> >>>> >>>> *Any suggestion for me?* >>>> >>>> *thanks* >>>> >>>> >>>> >>>> >>>> >>>> >>>> CONFIDENTIALITY NOTICE >>>> NOTICE: This message is intended for the use of the individual or >>>> entity to which it is addressed and may contain information that is >>>> confidential, privileged and exempt from disclosure under applicable law. >>>> If the reader of this message is not the intended recipient, you are hereby >>>> notified that any printing, copying, dissemination, distribution, >>>> disclosure or forwarding of this communication is strictly prohibited. If >>>> you have received this communication in error, please contact the sender >>>> immediately and delete it from your system. Thank You. >>> >>> >>> >> >
