You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by Alex Nastetsky <an...@spryinc.com> on 2014/02/24 22:12:48 UTC
hbase.superuser group members do not have Admin rights
My understanding of the hbase.superuser ACL is that members of a user group
specified here (prefixed with @) will have full rights on HBase. However,
it seems that the ADMIN right is missing.
Below, I have an example of using HBase as user "anastetsky" who belongs to
a group specified in hbase.superuser. No explicit permissions have been
granted to any user. I attempt to grant myself permissions (an ADMIN
action), which fails. I then create a table "foo" to show that I still have
"create" rights, because I belong to a superuser group. Members of the
group can also "write" and "read", but not "admin".
---
hbase(main):001:0> user_permission
User
Table,Family,Qualifier:Permission
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
explanation.
0 row(s) in 4.3950 seconds
hbase(main):002:0> grant 'anastetsky','RWC'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions (user=anastetsky@SPRY.COM, scope=GLOBAL, family=, action=ADMIN)
at
org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356)
at
org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933)
at
org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097)
at
org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102)
at
org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198)
at
org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933)
at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175)
at
org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879)
Here is some help for this command:
Grant users specific rights.
Syntax : grant <user> <permissions> [<table> [<column family> [<column
qualifier>]]
permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
For example:
hbase> grant 'bobsmith', 'RWXCA'
hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
hbase(main):003:0> create 'foo','bar'
0 row(s) in 1.0650 seconds
Thanks in advance,
Alex.
Re: hbase.superuser group members do not have Admin rights
Posted by Alex Nastetsky <an...@spryinc.com>.
Additionally, it seems like the hbase.superuser ACL can only take a single
username, even if you don't include any groups. All usernames beyond the
first will be ignored.
On Mon, Feb 24, 2014 at 4:12 PM, Alex Nastetsky <an...@spryinc.com>wrote:
> My understanding of the hbase.superuser ACL is that members of a user
> group specified here (prefixed with @) will have full rights on HBase.
> However, it seems that the ADMIN right is missing.
>
> Below, I have an example of using HBase as user "anastetsky" who belongs
> to a group specified in hbase.superuser. No explicit permissions have been
> granted to any user. I attempt to grant myself permissions (an ADMIN
> action), which fails. I then create a table "foo" to show that I still have
> "create" rights, because I belong to a superuser group. Members of the
> group can also "write" and "read", but not "admin".
>
> ---
>
> hbase(main):001:0> user_permission
> User
> Table,Family,Qualifier:Permission
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: Found binding in
> [jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
> explanation.
> 0 row(s) in 4.3950 seconds
>
> hbase(main):002:0> grant 'anastetsky','RWC'
>
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions (user=anastetsky@SPRY.COM, scope=GLOBAL,
> family=, action=ADMIN)
> at
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356)
> at
> org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933)
> at
> org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102)
> at
> org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198)
> at
> org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933)
> at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175)
> at
> org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879)
>
> Here is some help for this command:
> Grant users specific rights.
> Syntax : grant <user> <permissions> [<table> [<column family> [<column
> qualifier>]]
>
> permissions is either zero or more letters from the set "RWXCA".
> READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')
>
> For example:
>
> hbase> grant 'bobsmith', 'RWXCA'
> hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1'
>
>
> hbase(main):003:0> create 'foo','bar'
> 0 row(s) in 1.0650 seconds
>
>
> Thanks in advance,
> Alex.
>
>