Hi!
Same issue even after adding hbase.superuser property.
Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user ‘root',action: put, tableName:hbase:meta,
family:info, column: regioninfo
at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <[email protected]> wrote:
> Can you make sure the policy has recursive ON? And also check the audit
> logs to see whether it is the same denied result.
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <[email protected]>
> Date: Sunday, October 11, 2015 at 1:22 PM
>
> To: <[email protected]>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi!
> Issue is not solved by adding permissions to the user hbase.
>
> On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <[email protected]> wrote:
>
>> For now, the sync tool just synchronizes with one of the source. You
>> should be able to add the unix users manually.
>>
>> Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
>>
>> You can add the user you want to. You can give any random password. It is
>> not used. Select “Role” as User.
>>
>> After this you should be able to use these users for giving permissions.
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <[email protected]>
>> Date: Sunday, October 11, 2015 at 12:51 PM
>>
>> To: <[email protected]>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi Bosco!
>>
>> One more thing i am syncing users with ldap, not unix users. How can i
>> apply permissions for unix users? can we sync users from ldap and unix both
>> at a time?
>>
>> On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <[email protected]>
>> wrote:
>>
>>> Hi Bosco!
>>> therse are plugins audits. it seems that hbase master and region server
>>> are being sync correctly.
>>>
>>> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
>>> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
>>> [email protected] synced to
>>> plugin10/11/2015 11:36:15 PMhbasedev
>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:36:07 PMhbasedev
>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:35:12 PMhbasedev
>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:34:12 PMhbasedev
>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin
>>>
>>> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]>
>>> wrote:
>>>
>>>> Ok, this is good. It is getting denied at the HDFS level.
>>>>
>>>> From the HDFS service in Ranger Admin, create a new policy for /hbase
>>>> (recursive) and give all permission to user “hbase”.
>>>>
>>>> Let me know how it goes.
>>>>
>>>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly?
>>>> You can check the Audit->Plugins to see whether both Hbase Master and
>>>> RegionServers are connecting and also in the Audit->Access, filter by
>>>> service type “Hbase”.
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem
>>>> Reply-To: <[email protected]>
>>>> Date: Sunday, October 11, 2015 at 12:32 PM
>>>>
>>>> To: <[email protected]>
>>>> Subject: Re: Issue while enabling hbase plugin
>>>>
>>>> Hi Bosco!
>>>>
>>>> Audits show that it denying hbase user for writing into hadoop. audits
>>>> are as follow
>>>>
>>>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess
>>>> TypeResultAccess
>>>> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
>>>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.1
>>>> 1--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.1
>>>> 1--10/11/2015 11:05:10 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
>>>> hbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015
>>>> 11:00:53 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>>>>
>>>>
>>>>
>>>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]>
>>>> wrote:
>>>>
>>>>> Yes, you can run as root if you want to. In production it is a good
>>>>> practice to have separate users, so you can manage the access to the shell
>>>>> accordingly. Also, generally it is not recommended to run user
>>>>> applications
>>>>> at user “root”. A rogue application can cause unimaginable damage in your
>>>>> network.
>>>>>
>>>>> For your current problem, can you check the Ranger audits in the
>>>>> Ranger Admin page and see what is the user that is getting denied?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem
>>>>> Reply-To: <[email protected]>
>>>>> Date: Sunday, October 11, 2015 at 11:36 AM
>>>>>
>>>>> To: <[email protected]>
>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>
>>>>> Hi Bosco!
>>>>>
>>>>> Same issue after following your instruction. Is it possible to run all
>>>>> services using root user without conflicts? that will be easy to manage
>>>>> and
>>>>> understand at initial stage.
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> If you are using “root”, then you should provide the user “root” the
>>>>>> full permission. You can do that by going to the Hbase repo and pick the
>>>>>> default policy with “*,*,*” and add user “root” to it.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Bosco
>>>>>>
>>>>>>
>>>>>> From: Aneela Saleem
>>>>>> Reply-To: <[email protected]>
>>>>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>>>>> To: <[email protected]>
>>>>>>
>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>
>>>>>> Hi Ramesh!
>>>>>>
>>>>>> I started hbase services using hbase user but facing the same issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>>>>> secondary name will be hdfs, respective core components of hadoop will
>>>>>>> have
>>>>>>> it owner user who will be running the services. Refer the documentation
>>>>>>> in
>>>>>>> apache.
>>>>>>>
>>>>>>> From: Aneela Saleem <[email protected]>
>>>>>>> Reply-To: "[email protected]" <
>>>>>>> [email protected]>
>>>>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>>>>> To: "[email protected]" <
>>>>>>> [email protected]>
>>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>>
>>>>>>> Thanks Ramesh.
>>>>>>>
>>>>>>> But what about other services like zookeeper, hadoop etc
>>>>>>>
>>>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Aneela,
>>>>>>>>
>>>>>>>> Are you starting the hbase master / region server as “root” user,
>>>>>>>> it should be “hbase” user who has the necessary permission to do so. So
>>>>>>>> after enabling ranger hbase plugin start the services as “hbase” user
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Ramesh
>>>>>>>>
>>>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> I am trying to enable hbase plugin but getting following exception
>>>>>>>> when i start hbase
>>>>>>>>
>>>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>>>>> Failed 1 action:
>>>>>>>> org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>>>>> tableName:hbase:meta, family:info, column:*
>>>>>>>> * at
>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>>>>> * at
>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *Any suggestion for me?*
>>>>>>>>
>>>>>>>> *thanks*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE
>>>>>>>> NOTICE: This message is intended for the use of the individual or
>>>>>>>> entity to which it is addressed and may contain information that is
>>>>>>>> confidential, privileged and exempt from disclosure under applicable
>>>>>>>> law.
>>>>>>>> If the reader of this message is not the intended recipient, you are
>>>>>>>> hereby
>>>>>>>> notified that any printing, copying, dissemination, distribution,
>>>>>>>> disclosure or forwarding of this communication is strictly prohibited.
>>>>>>>> If
>>>>>>>> you have received this communication in error, please contact the
>>>>>>>> sender
>>>>>>>> immediately and delete it from your system. Thank You.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
