Hi Bosco! One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <[email protected]> wrote: > Hi Bosco! > therse are plugins audits. it seems that hbase master and region server > are being sync correctly. > > Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp > Response CodeStatus10/12/2015 12:19:17 AMhadoopdev > [email protected] synced to > plugin10/11/2015 11:36:15 PMhbasedev > hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies > synced to plugin10/11/2015 11:36:07 PMhbasedev > hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced > to plugin10/11/2015 11:35:12 PMhbasedev > hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced > to plugin10/11/2015 11:34:12 PMhbasedev > hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies > synced to plugin > > On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]> > wrote: > >> Ok, this is good. It is getting denied at the HDFS level. >> >> From the HDFS service in Ranger Admin, create a new policy for /hbase >> (recursive) and give all permission to user “hbase”. >> >> Let me know how it goes. >> >> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You >> can check the Audit->Plugins to see whether both Hbase Master and >> RegionServers are connecting and also in the Audit->Access, filter by >> service type “Hbase”. >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem >> Reply-To: <[email protected]> >> Date: Sunday, October 11, 2015 at 12:32 PM >> >> To: <[email protected]> >> Subject: Re: Issue while enabling hbase plugin >> >> Hi Bosco! >> >> Audits show that it denying hbase user for writing into hadoop. audits >> are as follow >> >> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess >> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase >> hadoopdev >> hdfs >> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >> hadoopdev >> hdfs >> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >> hadoopdev >> hdfs >> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed >> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >> hadoopdev >> hdfs >> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 >> --10/11/2015 11:05:11 PMhbase >> hadoopdev >> hdfs >> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 >> --10/11/2015 11:05:10 PMhbase >> hadoopdev >> hdfs >> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM >> hbase >> hadoopdev >> hdfs >> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53 >> PMhbase >> hadoopdev >> hdfs >> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase >> hadoopdev >> hdfs >> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase >> hadoopdev >> hdfs >> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 >> >> >> >> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> >> wrote: >> >>> Yes, you can run as root if you want to. In production it is a good >>> practice to have separate users, so you can manage the access to the shell >>> accordingly. Also, generally it is not recommended to run user applications >>> at user “root”. A rogue application can cause unimaginable damage in your >>> network. >>> >>> For your current problem, can you check the Ranger audits in the Ranger >>> Admin page and see what is the user that is getting denied? >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem >>> Reply-To: <[email protected]> >>> Date: Sunday, October 11, 2015 at 11:36 AM >>> >>> To: <[email protected]> >>> Subject: Re: Issue while enabling hbase plugin >>> >>> Hi Bosco! >>> >>> Same issue after following your instruction. Is it possible to run all >>> services using root user without conflicts? that will be easy to manage and >>> understand at initial stage. >>> >>> Thanks >>> >>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> >>> wrote: >>> >>>> If you are using “root”, then you should provide the user “root” the >>>> full permission. You can do that by going to the Hbase repo and pick the >>>> default policy with “*,*,*” and add user “root” to it. >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem >>>> Reply-To: <[email protected]> >>>> Date: Sunday, October 11, 2015 at 11:18 AM >>>> To: <[email protected]> >>>> >>>> Subject: Re: Issue while enabling hbase plugin >>>> >>>> Hi Ramesh! >>>> >>>> I started hbase services using hbase user but facing the same issue. >>>> >>>> >>>> >>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]> >>>> wrote: >>>> >>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode, >>>>> secondary name will be hdfs, respective core components of hadoop will >>>>> have >>>>> it owner user who will be running the services. Refer the documentation in >>>>> apache. >>>>> >>>>> From: Aneela Saleem <[email protected]> >>>>> Reply-To: "[email protected]" < >>>>> [email protected]> >>>>> Date: Sunday, October 11, 2015 at 10:51 AM >>>>> To: "[email protected]" < >>>>> [email protected]> >>>>> Subject: Re: Issue while enabling hbase plugin >>>>> >>>>> Thanks Ramesh. >>>>> >>>>> But what about other services like zookeeper, hadoop etc >>>>> >>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]> >>>>> wrote: >>>>> >>>>>> Aneela, >>>>>> >>>>>> Are you starting the hbase master / region server as “root” user, it >>>>>> should be “hbase” user who has the necessary permission to do so. So >>>>>> after >>>>>> enabling ranger hbase plugin start the services as “hbase” user >>>>>> >>>>>> Regards, >>>>>> Ramesh >>>>>> >>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Hi! >>>>>> >>>>>> I am trying to enable hbase plugin but getting following exception >>>>>> when i start hbase >>>>>> >>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] >>>>>> procedure.CreateTableProcedure: Failed rollback attempt >>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace* >>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: >>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: >>>>>> Insufficient permissions for user ‘root',action: delete, >>>>>> tableName:hbase:meta, family:info, column:* >>>>>> * at >>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)* >>>>>> * at >>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)* >>>>>> * at >>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)* >>>>>> * at >>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)* >>>>>> * at >>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)* >>>>>> * at >>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)* >>>>>> * at >>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)* >>>>>> >>>>>> >>>>>> >>>>>> *Any suggestion for me?* >>>>>> >>>>>> *thanks* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> CONFIDENTIALITY NOTICE >>>>>> NOTICE: This message is intended for the use of the individual or >>>>>> entity to which it is addressed and may contain information that is >>>>>> confidential, privileged and exempt from disclosure under applicable law. >>>>>> If the reader of this message is not the intended recipient, you are >>>>>> hereby >>>>>> notified that any printing, copying, dissemination, distribution, >>>>>> disclosure or forwarding of this communication is strictly prohibited. If >>>>>> you have received this communication in error, please contact the sender >>>>>> immediately and delete it from your system. Thank You. >>>>> >>>>> >>>>> >>>> >>> >> >
