Chris,
Looking at HBase Java API, it seems the client identity is established when
HTable object was created – based on the Configuration object passed in:
Configuration conf = HBaseConfiguration.create();
HTable table = new HTable(conf, “myTable");
Put put = new Put(Bytes.toBytes("testKey"));
put.add(Bytes.toBytes("colFam1"), Bytes.toBytes("col1"),
Bytes.toBytes("value"));
table.put(put);
Not sure if a different identity can be specified during subsequent operations
like put(). I would suggest contacting HBase mailing list
‘[email protected]’ to find details.
Madhan
From: Chris Gent <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Friday, December 18, 2015 at 6:47 AM
To: "[email protected]" <[email protected]>
Subject: Re: doAs() with Ranger HBase plugin
Thanks for the advise. The audit log record looks like this (somewhat redacted):
{"repoType":2,"repo":"dev_hbase","reqUser":"<service_user>","evtTime":"2015-12-17
12:12:59.040","access":"put","resource":"<namespace>:<table>/d/o","resType":"column","action":"write","result":"1","policy":3,"enforcer":"ranger-acl","cliIP":"<0.0.0.0>,"agentHost":"<fqdn>,"logType":"RangerAudit","id":"<biglongid>,"seq_num":95,"event_count":1,"event_dur_ms":1}
Not sure that helps much though. I'll try enabling debug on the hbase plugin
and see if that shows more closely what's going on.
--
Chris
On 17 December 2015 at 20:51, Madhan Neethiraj <[email protected]> wrote:
Chris,
>> When we run the application any user supplied in the doAsUser will
>> successfully write to HBase even if no policy is defined in Ranger for that
>> user. When I look in the audit logs it is the application service user that
>> is being recorded as making the writes.
Details in audit log should help understand the behavior. Can you please send
the contents of the audit record, for the accesses made from the Java API? I am
looking for details like: resource-accessed, access-type, username, ID of the
policy that allowed the access..
Thanks,
Madhan
From: Don Bosco Durai <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Thursday, December 17, 2015 at 11:22 AM
To: "[email protected]" <[email protected]>
Subject: Re: doAs() with Ranger HBase plugin
Chris
Ranger plugin uses the same user/group made available by the component. So in
your case, Hbase is getting the service user, which I assume is you
“springboot” app user.
You might want to do couple of things:
Check Hbase logs to see if there are any errors (like impersonation not allowed
for your service user)
Make sure your service user is allowed to act like proxy user?
Core-site.xml for hbase:
<property>
<name>hadoop.proxyuser.oozie.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.oozie.hosts</name>
<value>*</value>
</property>
Bosco
From: Chris Gent <[email protected]>
Reply-To: <[email protected]>
Date: Thursday, December 17, 2015 at 5:46 AM
To: <[email protected]>
Subject: doAs() with Ranger HBase plugin
Hi,
For a client we're building a system that calls the HBase Java API from within
our own springboot app. The goal is to be able to audit and authorize data
access to the various user requests being made against HBase (possibly down to
column family level) using Ranger.
The solution is based on how this same process appears to work in e.g. Oozie
A snippet of the application code looks like this where doAsUser is the end
user's username:
UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUser,
UserGroupInformation.getLoginUser());
try {
ugi.doAs(new PriviledgedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
LOGGER.info("HBase put as user " + ugi.getShortUserName());
table.put(put);
return null;
}
});
...
When we run the application any user supplied in the doAsUser will successfully
write to HBase even if no policy is defined in Ranger for that user. When I
look in the audit logs it is the application service user that is being
recorded as making the writes.
I should note that the cluster is kerberized and we are on HDP2.3.
Does anyone know how to get this working for HBase?
If I look at the sample authorizer on
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207 then
I think our approach would work against the sample authorizer described. Is the
HBase plugin behaving differently?
Thanks in advance for any assistance with this problem.
--
Christopher Gent
NOTICE AND DISCLAIMER
This email (including attachments) is confidential. If you are not the intended
recipient, notify the sender immediately, delete this email from your system
and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales with
Company No 7904824
--
Christopher Gent
Managing Consultant
Big Data Partnership
M: 07795 210205
E: [email protected]
NOTICE AND DISCLAIMER
This email (including attachments) is confidential. If you are not the intended
recipient, notify the sender immediately, delete this email from your system
and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales with
Company No 7904824
NOTICE AND DISCLAIMER
This email (including attachments) is confidential. If you are not the intended
recipient, notify the sender immediately, delete this email from your system
and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales with
Company No 7904824
