You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Aneela Saleem <an...@platalytics.com> on 2015/10/11 16:40:01 UTC
Issue while enabling hbase plugin
Hi!
I am trying to enable hbase plugin but getting following exception when i
start hbase
*2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
procedure.CreateTableProcedure: Failed rollback attempt
step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
*org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user ‘root',action: delete,
tableName:hbase:meta, family:info, column:*
* at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
* at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
* at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
* at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
* at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
* at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
* at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
*Any suggestion for me?*
*thanks*
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
yes it was just because of permissions. I had to give full permissions on
hbase directory in hdfs to allow root and hbase user to perform necessary
operations on it.
On Thu, Oct 15, 2015 at 10:20 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Based on your other email, it seems you get Hbase plugin installed
> properly. Was it just the permission or you had to do anything more?
>
> Thanks
>
> Bosco
>
>
> From: Don Bosco Durai
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 9:47 PM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Seems this deny is for root. Can you add root also to the policy? Check
> the audit and based on that you need to add appropriate permissions..
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 9:44 PM
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi!
> Same issue even after adding hbase.superuser property.
>
> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions for user ‘root',action: put, tableName:hbase:meta,
> family:info, column: regioninfo
> at
> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
> at
> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
>
> On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
>> Can you make sure the policy has recursive ON? And also check the audit
>> logs to see whether it is the same denied result.
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 1:22 PM
>>
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi!
>> Issue is not solved by adding permissions to the user hbase.
>>
>> On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org>
>> wrote:
>>
>>> For now, the sync tool just synchronizes with one of the source. You
>>> should be able to add the unix users manually.
>>>
>>> Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
>>>
>>> You can add the user you want to. You can give any random password. It
>>> is not used. Select “Role” as User.
>>>
>>> After this you should be able to use these users for giving permissions.
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Sunday, October 11, 2015 at 12:51 PM
>>>
>>> To: <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issue while enabling hbase plugin
>>>
>>> Hi Bosco!
>>>
>>> One more thing i am syncing users with ldap, not unix users. How can i
>>> apply permissions for unix users? can we sync users from ldap and unix both
>>> at a time?
>>>
>>> On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com>
>>> wrote:
>>>
>>>> Hi Bosco!
>>>> therse are plugins audits. it seems that hbase master and region server
>>>> are being sync correctly.
>>>>
>>>> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
>>>> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
>>>> hdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to
>>>> plugin10/11/2015 11:36:15 PMhbasedev
>>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>>> synced to plugin10/11/2015 11:36:07 PMhbasedev
>>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>>> synced to plugin10/11/2015 11:35:12 PMhbasedev
>>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>>> synced to plugin10/11/2015 11:34:12 PMhbasedev
>>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>>> synced to plugin
>>>>
>>>> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> Ok, this is good. It is getting denied at the HDFS level.
>>>>>
>>>>> From the HDFS service in Ranger Admin, create a new policy for /hbase
>>>>> (recursive) and give all permission to user “hbase”.
>>>>>
>>>>> Let me know how it goes.
>>>>>
>>>>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly?
>>>>> You can check the Audit->Plugins to see whether both Hbase Master and
>>>>> RegionServers are connecting and also in the Audit->Access, filter by
>>>>> service type “Hbase”.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem
>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>> Date: Sunday, October 11, 2015 at 12:32 PM
>>>>>
>>>>> To: <us...@ranger.incubator.apache.org>
>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>
>>>>> Hi Bosco!
>>>>>
>>>>> Audits show that it denying hbase user for writing into hadoop. audits
>>>>> are as follow
>>>>>
>>>>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess Type
>>>>> ResultAccess EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PM
>>>>> hbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
>>>>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl
>>>>> 127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl
>>>>> 127.0.0.11--10/11/2015 11:05:10 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
>>>>> hbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015
>>>>> 11:00:53 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
>>>>> hadoopdev
>>>>> hdfs
>>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> Yes, you can run as root if you want to. In production it is a good
>>>>>> practice to have separate users, so you can manage the access to the shell
>>>>>> accordingly. Also, generally it is not recommended to run user applications
>>>>>> at user “root”. A rogue application can cause unimaginable damage in your
>>>>>> network.
>>>>>>
>>>>>> For your current problem, can you check the Ranger audits in the
>>>>>> Ranger Admin page and see what is the user that is getting denied?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Bosco
>>>>>>
>>>>>>
>>>>>> From: Aneela Saleem
>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>> Date: Sunday, October 11, 2015 at 11:36 AM
>>>>>>
>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>
>>>>>> Hi Bosco!
>>>>>>
>>>>>> Same issue after following your instruction. Is it possible to run
>>>>>> all services using root user without conflicts? that will be easy to manage
>>>>>> and understand at initial stage.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
>>>>>> wrote:
>>>>>>
>>>>>>> If you are using “root”, then you should provide the user “root” the
>>>>>>> full permission. You can do that by going to the Hbase repo and pick the
>>>>>>> default policy with “*,*,*” and add user “root” to it.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Bosco
>>>>>>>
>>>>>>>
>>>>>>> From: Aneela Saleem
>>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>>
>>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>>
>>>>>>> Hi Ramesh!
>>>>>>>
>>>>>>> I started hbase services using hbase user but facing the same issue.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rmani@hortonworks.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>>>>>> secondary name will be hdfs, respective core components of hadoop will have
>>>>>>>> it owner user who will be running the services. Refer the documentation in
>>>>>>>> apache.
>>>>>>>>
>>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>>>>> user@ranger.incubator.apache.org>
>>>>>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>>>>>> To: "user@ranger.incubator.apache.org" <
>>>>>>>> user@ranger.incubator.apache.org>
>>>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>>>
>>>>>>>> Thanks Ramesh.
>>>>>>>>
>>>>>>>> But what about other services like zookeeper, hadoop etc
>>>>>>>>
>>>>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <
>>>>>>>> rmani@hortonworks.com> wrote:
>>>>>>>>
>>>>>>>>> Aneela,
>>>>>>>>>
>>>>>>>>> Are you starting the hbase master / region server as “root” user,
>>>>>>>>> it should be “hbase” user who has the necessary permission to do so. So
>>>>>>>>> after enabling ranger hbase plugin start the services as “hbase” user
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Ramesh
>>>>>>>>>
>>>>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi!
>>>>>>>>>
>>>>>>>>> I am trying to enable hbase plugin but getting following exception
>>>>>>>>> when i start hbase
>>>>>>>>>
>>>>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>>>>>> tableName:hbase:meta, family:info, column:*
>>>>>>>>> * at
>>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>>>>>> * at
>>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>>>>>> * at
>>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>>>>>> * at
>>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>>>>>> * at
>>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>>>>>> * at
>>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>>>>>> * at
>>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Any suggestion for me?*
>>>>>>>>>
>>>>>>>>> *thanks*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> CONFIDENTIALITY NOTICE
>>>>>>>>> NOTICE: This message is intended for the use of the individual or
>>>>>>>>> entity to which it is addressed and may contain information that is
>>>>>>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>>>>>>> If the reader of this message is not the intended recipient, you are hereby
>>>>>>>>> notified that any printing, copying, dissemination, distribution,
>>>>>>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>>>>>>> you have received this communication in error, please contact the sender
>>>>>>>>> immediately and delete it from your system. Thank You.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
Based on your other email, it seems you get Hbase plugin installed properly. Was it just the permission or you had to do anything more?
Thanks
Bosco
From: Don Bosco Durai
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 9:47 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Seems this deny is for root. Can you add root also to the policy? Check the audit and based on that you need to add appropriate permissions..
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 9:44 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi!
Same issue even after adding hbase.superuser property.
Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: put, tableName:hbase:meta, family:info, column: regioninfo
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <bo...@apache.org> wrote:
Can you make sure the policy has recursive ON? And also check the audit logs to see whether it is the same denied result.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 1:22 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi!
Issue is not solved by adding permissions to the user hbase.
On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org> wrote:
For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually.
Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
You can add the user you want to. You can give any random password. It is not used. Select “Role” as User.
After this you should be able to use these users for giving permissions.
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:51 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus
10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
Seems this deny is for root. Can you add root also to the policy? Check the audit and based on that you need to add appropriate permissions..
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 9:44 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi!
Same issue even after adding hbase.superuser property.
Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: put, tableName:hbase:meta, family:info, column: regioninfo
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <bo...@apache.org> wrote:
Can you make sure the policy has recursive ON? And also check the audit logs to see whether it is the same denied result.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 1:22 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi!
Issue is not solved by adding permissions to the user hbase.
On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org> wrote:
For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually.
Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
You can add the user you want to. You can give any random password. It is not used. Select “Role” as User.
After this you should be able to use these users for giving permissions.
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:51 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus
10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi!
Same issue even after adding hbase.superuser property.
Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
Insufficient permissions for user ‘root',action: put, tableName:hbase:meta,
family:info, column: regioninfo
at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at
org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902)
at
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <bo...@apache.org> wrote:
> Can you make sure the policy has recursive ON? And also check the audit
> logs to see whether it is the same denied result.
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 1:22 PM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi!
> Issue is not solved by adding permissions to the user hbase.
>
> On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org> wrote:
>
>> For now, the sync tool just synchronizes with one of the source. You
>> should be able to add the unix users manually.
>>
>> Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
>>
>> You can add the user you want to. You can give any random password. It is
>> not used. Select “Role” as User.
>>
>> After this you should be able to use these users for giving permissions.
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 12:51 PM
>>
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi Bosco!
>>
>> One more thing i am syncing users with ldap, not unix users. How can i
>> apply permissions for unix users? can we sync users from ldap and unix both
>> at a time?
>>
>> On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>>> Hi Bosco!
>>> therse are plugins audits. it seems that hbase master and region server
>>> are being sync correctly.
>>>
>>> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
>>> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
>>> hdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to
>>> plugin10/11/2015 11:36:15 PMhbasedev
>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:36:07 PMhbasedev
>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:35:12 PMhbasedev
>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin10/11/2015 11:34:12 PMhbasedev
>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>>> synced to plugin
>>>
>>> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> Ok, this is good. It is getting denied at the HDFS level.
>>>>
>>>> From the HDFS service in Ranger Admin, create a new policy for /hbase
>>>> (recursive) and give all permission to user “hbase”.
>>>>
>>>> Let me know how it goes.
>>>>
>>>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly?
>>>> You can check the Audit->Plugins to see whether both Hbase Master and
>>>> RegionServers are connecting and also in the Audit->Access, filter by
>>>> service type “Hbase”.
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Sunday, October 11, 2015 at 12:32 PM
>>>>
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issue while enabling hbase plugin
>>>>
>>>> Hi Bosco!
>>>>
>>>> Audits show that it denying hbase user for writing into hadoop. audits
>>>> are as follow
>>>>
>>>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
>>>> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
>>>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.1
>>>> 1--10/11/2015 11:05:11 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.1
>>>> 1--10/11/2015 11:05:10 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
>>>> hbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015
>>>> 11:00:53 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
>>>> hadoopdev
>>>> hdfs
>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>>>>
>>>>
>>>>
>>>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> Yes, you can run as root if you want to. In production it is a good
>>>>> practice to have separate users, so you can manage the access to the shell
>>>>> accordingly. Also, generally it is not recommended to run user applications
>>>>> at user “root”. A rogue application can cause unimaginable damage in your
>>>>> network.
>>>>>
>>>>> For your current problem, can you check the Ranger audits in the
>>>>> Ranger Admin page and see what is the user that is getting denied?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem
>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>> Date: Sunday, October 11, 2015 at 11:36 AM
>>>>>
>>>>> To: <us...@ranger.incubator.apache.org>
>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>
>>>>> Hi Bosco!
>>>>>
>>>>> Same issue after following your instruction. Is it possible to run all
>>>>> services using root user without conflicts? that will be easy to manage and
>>>>> understand at initial stage.
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> If you are using “root”, then you should provide the user “root” the
>>>>>> full permission. You can do that by going to the Hbase repo and pick the
>>>>>> default policy with “*,*,*” and add user “root” to it.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Bosco
>>>>>>
>>>>>>
>>>>>> From: Aneela Saleem
>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>
>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>
>>>>>> Hi Ramesh!
>>>>>>
>>>>>> I started hbase services using hbase user but facing the same issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>>>>> secondary name will be hdfs, respective core components of hadoop will have
>>>>>>> it owner user who will be running the services. Refer the documentation in
>>>>>>> apache.
>>>>>>>
>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>>>> user@ranger.incubator.apache.org>
>>>>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>>>>> To: "user@ranger.incubator.apache.org" <
>>>>>>> user@ranger.incubator.apache.org>
>>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>>
>>>>>>> Thanks Ramesh.
>>>>>>>
>>>>>>> But what about other services like zookeeper, hadoop etc
>>>>>>>
>>>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rmani@hortonworks.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Aneela,
>>>>>>>>
>>>>>>>> Are you starting the hbase master / region server as “root” user,
>>>>>>>> it should be “hbase” user who has the necessary permission to do so. So
>>>>>>>> after enabling ranger hbase plugin start the services as “hbase” user
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Ramesh
>>>>>>>>
>>>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>> I am trying to enable hbase plugin but getting following exception
>>>>>>>> when i start hbase
>>>>>>>>
>>>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>>>>> tableName:hbase:meta, family:info, column:*
>>>>>>>> * at
>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>>>>> * at
>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>>>>> * at
>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> *Any suggestion for me?*
>>>>>>>>
>>>>>>>> *thanks*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE
>>>>>>>> NOTICE: This message is intended for the use of the individual or
>>>>>>>> entity to which it is addressed and may contain information that is
>>>>>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>>>>>> If the reader of this message is not the intended recipient, you are hereby
>>>>>>>> notified that any printing, copying, dissemination, distribution,
>>>>>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>>>>>> you have received this communication in error, please contact the sender
>>>>>>>> immediately and delete it from your system. Thank You.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
Can you make sure the policy has recursive ON? And also check the audit logs to see whether it is the same denied result.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 1:22 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi!
Issue is not solved by adding permissions to the user hbase.
On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org> wrote:
For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually.
Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
You can add the user you want to. You can give any random password. It is not used. Select “Role” as User.
After this you should be able to use these users for giving permissions.
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:51 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus
10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Selvamohan Neethiraj <sn...@hortonworks.com>.
Can you try setting up hbase.superuser param in the hbase-site.xml to root and retry the hbase startup ?
Thanks,
Selva-
Sent from Outlook<http://aka.ms/Ox5hz3>
On Sun, Oct 11, 2015 at 1:23 PM -0700, "Aneela Saleem" <an...@platalytics.com>> wrote:
Hi!
Issue is not solved by adding permissions to the user hbase.
On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org>> wrote:
For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually.
Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
You can add the user you want to. You can give any random password. It is not used. Select “Role” as User.
After this you should be able to use these users for giving permissions.
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 12:51 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com>> wrote:
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time ) Service Name Plugin Id Plugin IP Http Response Code Status
10/12/2015 12:19:17 AM hadoopdev hdfs@vmubuntu2-VirtualBox-hadoopdev 192.168.23.126 200 Policies synced to plugin
10/11/2015 11:36:15 PM hbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin
10/11/2015 11:36:07 PM hbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin
10/11/2015 11:35:12 PM hbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin
10/11/2015 11:34:12 PM hbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org>> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy ID Event Time User Name / Type Resource Name Access Type Result Access Enforcer Client IP Event Count
-- 10/11/2015 11:11:26 PM hbase
hadoopdev
hdfs
/ READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:11 PM hbase
hadoopdev
hdfs
/hbase/.tmp WRITE Denied hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:11 PM hbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001 READ Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:11 PM hbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:11 PM hbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:10 PM hbase
hadoopdev
hdfs
/hbase/hbase.id<http://hbase.id> READ Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:05:10 PM hbase
hadoopdev
hdfs
/hbase/hbase.version READ Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:00:53 PM hbase
hadoopdev
hdfs
/ READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1
-- 10/11/2015 11:00:40 PM hbase
hadoopdev
hdfs
/test1 WRITE Denied hadoop-acl 127.0.0.1 1
-- 10/11/2015 09:41:25 PM hbase
hadoopdev
hdfs
/hbase/.tmp WRITE Denied hadoop-acl 127.0.0.1 1
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi!
Issue is not solved by adding permissions to the user hbase.
On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <bo...@apache.org> wrote:
> For now, the sync tool just synchronizes with one of the source. You
> should be able to add the unix users manually.
>
> Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
>
> You can add the user you want to. You can give any random password. It is
> not used. Select “Role” as User.
>
> After this you should be able to use these users for giving permissions.
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 12:51 PM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi Bosco!
>
> One more thing i am syncing users with ldap, not unix users. How can i
> apply permissions for unix users? can we sync users from ldap and unix both
> at a time?
>
> On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com>
> wrote:
>
>> Hi Bosco!
>> therse are plugins audits. it seems that hbase master and region server
>> are being sync correctly.
>>
>> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
>> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
>> hdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to
>> plugin10/11/2015 11:36:15 PMhbasedev
>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>> synced to plugin10/11/2015 11:36:07 PMhbasedev
>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>> synced to plugin10/11/2015 11:35:12 PMhbasedev
>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>> synced to plugin10/11/2015 11:34:12 PMhbasedev
>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
>> synced to plugin
>>
>> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org>
>> wrote:
>>
>>> Ok, this is good. It is getting denied at the HDFS level.
>>>
>>> From the HDFS service in Ranger Admin, create a new policy for /hbase
>>> (recursive) and give all permission to user “hbase”.
>>>
>>> Let me know how it goes.
>>>
>>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You
>>> can check the Audit->Plugins to see whether both Hbase Master and
>>> RegionServers are connecting and also in the Audit->Access, filter by
>>> service type “Hbase”.
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Sunday, October 11, 2015 at 12:32 PM
>>>
>>> To: <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issue while enabling hbase plugin
>>>
>>> Hi Bosco!
>>>
>>> Audits show that it denying hbase user for writing into hadoop. audits
>>> are as follow
>>>
>>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
>>> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
>>> hadoopdev
>>> hdfs
>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
>>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
>>> --10/11/2015 11:05:11 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
>>> --10/11/2015 11:05:10 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
>>> hbase
>>> hadoopdev
>>> hdfs
>>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015
>>> 11:00:53 PMhbase
>>> hadoopdev
>>> hdfs
>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
>>> hadoopdev
>>> hdfs
>>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
>>> hadoopdev
>>> hdfs
>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>>>
>>>
>>>
>>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> Yes, you can run as root if you want to. In production it is a good
>>>> practice to have separate users, so you can manage the access to the shell
>>>> accordingly. Also, generally it is not recommended to run user applications
>>>> at user “root”. A rogue application can cause unimaginable damage in your
>>>> network.
>>>>
>>>> For your current problem, can you check the Ranger audits in the Ranger
>>>> Admin page and see what is the user that is getting denied?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Sunday, October 11, 2015 at 11:36 AM
>>>>
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issue while enabling hbase plugin
>>>>
>>>> Hi Bosco!
>>>>
>>>> Same issue after following your instruction. Is it possible to run all
>>>> services using root user without conflicts? that will be easy to manage and
>>>> understand at initial stage.
>>>>
>>>> Thanks
>>>>
>>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> If you are using “root”, then you should provide the user “root” the
>>>>> full permission. You can do that by going to the Hbase repo and pick the
>>>>> default policy with “*,*,*” and add user “root” to it.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem
>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>
>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>
>>>>> Hi Ramesh!
>>>>>
>>>>> I started hbase services using hbase user but facing the same issue.
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
>>>>> wrote:
>>>>>
>>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>>>> secondary name will be hdfs, respective core components of hadoop will have
>>>>>> it owner user who will be running the services. Refer the documentation in
>>>>>> apache.
>>>>>>
>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>>> user@ranger.incubator.apache.org>
>>>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>>>> To: "user@ranger.incubator.apache.org" <
>>>>>> user@ranger.incubator.apache.org>
>>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>>
>>>>>> Thanks Ramesh.
>>>>>>
>>>>>> But what about other services like zookeeper, hadoop etc
>>>>>>
>>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Aneela,
>>>>>>>
>>>>>>> Are you starting the hbase master / region server as “root” user,
>>>>>>> it should be “hbase” user who has the necessary permission to do so. So
>>>>>>> after enabling ranger hbase plugin start the services as “hbase” user
>>>>>>>
>>>>>>> Regards,
>>>>>>> Ramesh
>>>>>>>
>>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> I am trying to enable hbase plugin but getting following exception
>>>>>>> when i start hbase
>>>>>>>
>>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>>>> tableName:hbase:meta, family:info, column:*
>>>>>>> * at
>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>>>> * at
>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>>>> * at
>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>>>> * at
>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>>>> * at
>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>>>> * at
>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>>>> * at
>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *Any suggestion for me?*
>>>>>>>
>>>>>>> *thanks*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> CONFIDENTIALITY NOTICE
>>>>>>> NOTICE: This message is intended for the use of the individual or
>>>>>>> entity to which it is addressed and may contain information that is
>>>>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>>>>> If the reader of this message is not the intended recipient, you are hereby
>>>>>>> notified that any printing, copying, dissemination, distribution,
>>>>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>>>>> you have received this communication in error, please contact the sender
>>>>>>> immediately and delete it from your system. Thank You.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually.
Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User.
You can add the user you want to. You can give any random password. It is not used. Select “Role” as User.
After this you should be able to use these users for giving permissions.
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:51 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus
10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Bosco!
One more thing i am syncing users with ldap, not unix users. How can i
apply permissions for unix users? can we sync users from ldap and unix both
at a time?
On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <an...@platalytics.com>
wrote:
> Hi Bosco!
> therse are plugins audits. it seems that hbase master and region server
> are being sync correctly.
>
> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
> hdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to
> plugin10/11/2015 11:36:15 PMhbasedev
> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
> synced to plugin10/11/2015 11:36:07 PMhbasedev
> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
> to plugin10/11/2015 11:35:12 PMhbasedev
> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
> to plugin10/11/2015 11:34:12 PMhbasedev
> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies
> synced to plugin
>
> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org>
> wrote:
>
>> Ok, this is good. It is getting denied at the HDFS level.
>>
>> From the HDFS service in Ranger Admin, create a new policy for /hbase
>> (recursive) and give all permission to user “hbase”.
>>
>> Let me know how it goes.
>>
>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You
>> can check the Audit->Plugins to see whether both Hbase Master and
>> RegionServers are connecting and also in the Audit->Access, filter by
>> service type “Hbase”.
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 12:32 PM
>>
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi Bosco!
>>
>> Audits show that it denying hbase user for writing into hadoop. audits
>> are as follow
>>
>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
>> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
>> hadoopdev
>> hdfs
>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
>> --10/11/2015 11:05:11 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
>> --10/11/2015 11:05:10 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
>> hbase
>> hadoopdev
>> hdfs
>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53
>> PMhbase
>> hadoopdev
>> hdfs
>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
>> hadoopdev
>> hdfs
>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
>> hadoopdev
>> hdfs
>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>>
>>
>>
>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>
>> wrote:
>>
>>> Yes, you can run as root if you want to. In production it is a good
>>> practice to have separate users, so you can manage the access to the shell
>>> accordingly. Also, generally it is not recommended to run user applications
>>> at user “root”. A rogue application can cause unimaginable damage in your
>>> network.
>>>
>>> For your current problem, can you check the Ranger audits in the Ranger
>>> Admin page and see what is the user that is getting denied?
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Sunday, October 11, 2015 at 11:36 AM
>>>
>>> To: <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issue while enabling hbase plugin
>>>
>>> Hi Bosco!
>>>
>>> Same issue after following your instruction. Is it possible to run all
>>> services using root user without conflicts? that will be easy to manage and
>>> understand at initial stage.
>>>
>>> Thanks
>>>
>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> If you are using “root”, then you should provide the user “root” the
>>>> full permission. You can do that by going to the Hbase repo and pick the
>>>> default policy with “*,*,*” and add user “root” to it.
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>>> To: <us...@ranger.incubator.apache.org>
>>>>
>>>> Subject: Re: Issue while enabling hbase plugin
>>>>
>>>> Hi Ramesh!
>>>>
>>>> I started hbase services using hbase user but facing the same issue.
>>>>
>>>>
>>>>
>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
>>>> wrote:
>>>>
>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>>> secondary name will be hdfs, respective core components of hadoop will have
>>>>> it owner user who will be running the services. Refer the documentation in
>>>>> apache.
>>>>>
>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>>> To: "user@ranger.incubator.apache.org" <
>>>>> user@ranger.incubator.apache.org>
>>>>> Subject: Re: Issue while enabling hbase plugin
>>>>>
>>>>> Thanks Ramesh.
>>>>>
>>>>> But what about other services like zookeeper, hadoop etc
>>>>>
>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
>>>>> wrote:
>>>>>
>>>>>> Aneela,
>>>>>>
>>>>>> Are you starting the hbase master / region server as “root” user, it
>>>>>> should be “hbase” user who has the necessary permission to do so. So after
>>>>>> enabling ranger hbase plugin start the services as “hbase” user
>>>>>>
>>>>>> Regards,
>>>>>> Ramesh
>>>>>>
>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hi!
>>>>>>
>>>>>> I am trying to enable hbase plugin but getting following exception
>>>>>> when i start hbase
>>>>>>
>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>>> tableName:hbase:meta, family:info, column:*
>>>>>> * at
>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>>> * at
>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>>> * at
>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>>> * at
>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>>> * at
>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>>> * at
>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>>> * at
>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Any suggestion for me?*
>>>>>>
>>>>>> *thanks*
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE
>>>>>> NOTICE: This message is intended for the use of the individual or
>>>>>> entity to which it is addressed and may contain information that is
>>>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>>>> If the reader of this message is not the intended recipient, you are hereby
>>>>>> notified that any printing, copying, dissemination, distribution,
>>>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>>>> you have received this communication in error, please contact the sender
>>>>>> immediately and delete it from your system. Thank You.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
This is also good. Did adding the policies in HDFS resolve your issue?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:41 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus
10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Bosco!
therse are plugins audits. it seems that hbase master and region server are
being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp
Response CodeStatus10/12/2015 12:19:17 AMhadoopdev
hdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to
plugin10/11/2015 11:36:15 PMhbasedev
hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
to plugin10/11/2015 11:36:07 PMhbasedev
hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
to plugin10/11/2015 11:35:12 PMhbasedev
hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
to plugin10/11/2015 11:34:12 PMhbasedev
hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced
to plugin
On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <bo...@apache.org> wrote:
> Ok, this is good. It is getting denied at the HDFS level.
>
> From the HDFS service in Ranger Admin, create a new policy for /hbase
> (recursive) and give all permission to user “hbase”.
>
> Let me know how it goes.
>
> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You
> can check the Audit->Plugins to see whether both Hbase Master and
> RegionServers are connecting and also in the Audit->Access, filter by
> service type “Hbase”.
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 12:32 PM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi Bosco!
>
> Audits show that it denying hbase user for writing into hadoop. audits are
> as follow
>
> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
> hadoopdev
> hdfs
> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
> hadoopdev
> hdfs
> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
> hadoopdev
> hdfs
> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed
> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
> hadoopdev
> hdfs
> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015
> 11:05:11 PMhbase
> hadoopdev
> hdfs
> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015
> 11:05:10 PMhbase
> hadoopdev
> hdfs
> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM
> hbase
> hadoopdev
> hdfs
> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53
> PMhbase
> hadoopdev
> hdfs
> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
> hadoopdev
> hdfs
> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
> hadoopdev
> hdfs
> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
>
>
>
> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org>
> wrote:
>
>> Yes, you can run as root if you want to. In production it is a good
>> practice to have separate users, so you can manage the access to the shell
>> accordingly. Also, generally it is not recommended to run user applications
>> at user “root”. A rogue application can cause unimaginable damage in your
>> network.
>>
>> For your current problem, can you check the Ranger audits in the Ranger
>> Admin page and see what is the user that is getting denied?
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 11:36 AM
>>
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi Bosco!
>>
>> Same issue after following your instruction. Is it possible to run all
>> services using root user without conflicts? that will be easy to manage and
>> understand at initial stage.
>>
>> Thanks
>>
>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
>> wrote:
>>
>>> If you are using “root”, then you should provide the user “root” the
>>> full permission. You can do that by going to the Hbase repo and pick the
>>> default policy with “*,*,*” and add user “root” to it.
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Sunday, October 11, 2015 at 11:18 AM
>>> To: <us...@ranger.incubator.apache.org>
>>>
>>> Subject: Re: Issue while enabling hbase plugin
>>>
>>> Hi Ramesh!
>>>
>>> I started hbase services using hbase user but facing the same issue.
>>>
>>>
>>>
>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
>>> wrote:
>>>
>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>>> secondary name will be hdfs, respective core components of hadoop will have
>>>> it owner user who will be running the services. Refer the documentation in
>>>> apache.
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>>> To: "user@ranger.incubator.apache.org" <
>>>> user@ranger.incubator.apache.org>
>>>> Subject: Re: Issue while enabling hbase plugin
>>>>
>>>> Thanks Ramesh.
>>>>
>>>> But what about other services like zookeeper, hadoop etc
>>>>
>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
>>>> wrote:
>>>>
>>>>> Aneela,
>>>>>
>>>>> Are you starting the hbase master / region server as “root” user, it
>>>>> should be “hbase” user who has the necessary permission to do so. So after
>>>>> enabling ranger hbase plugin start the services as “hbase” user
>>>>>
>>>>> Regards,
>>>>> Ramesh
>>>>>
>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>>> wrote:
>>>>>
>>>>> Hi!
>>>>>
>>>>> I am trying to enable hbase plugin but getting following exception
>>>>> when i start hbase
>>>>>
>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>>> Insufficient permissions for user ‘root',action: delete,
>>>>> tableName:hbase:meta, family:info, column:*
>>>>> * at
>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>>> * at
>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>>> * at
>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>>> * at
>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>>> * at
>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>>> * at
>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>>> * at
>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>>
>>>>>
>>>>>
>>>>> *Any suggestion for me?*
>>>>>
>>>>> *thanks*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE
>>>>> NOTICE: This message is intended for the use of the individual or
>>>>> entity to which it is addressed and may contain information that is
>>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>>> If the reader of this message is not the intended recipient, you are hereby
>>>>> notified that any printing, copying, dissemination, distribution,
>>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>>> you have received this communication in error, please contact the sender
>>>>> immediately and delete it from your system. Thank You.
>>>>
>>>>
>>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
Ok, this is good. It is getting denied at the HDFS level.
>From the HDFS service in Ranger Admin, create a new policy for /hbase (recursive) and give all permission to user “hbase”.
Let me know how it goes.
BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 12:32 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are as follow
Service
Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count
--10/11/2015 11:11:26 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:11 PMhbasehadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:05:10 PMhbasehadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:53 PMhbasehadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11
--10/11/2015 11:00:40 PMhbasehadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11
--10/11/2015 09:41:25 PMhbasehadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Bosco!
Audits show that it denying hbase user for writing into hadoop. audits are
as follow
ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess
EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase
hadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
hadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl
127.0.0.11--10/11/2015 11:05:11 PMhbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015
11:05:11 PMhbase
hadoopdev
hdfs
/hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015
11:05:10 PMhbase
hadoopdev
hdfs
/hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PMhbase
hadoopdev
hdfs
/hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53 PM
hbase
hadoopdev
hdfs
/READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase
hadoopdev
hdfs
/test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase
hadoopdev
hdfs
/hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11
On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Yes, you can run as root if you want to. In production it is a good
> practice to have separate users, so you can manage the access to the shell
> accordingly. Also, generally it is not recommended to run user applications
> at user “root”. A rogue application can cause unimaginable damage in your
> network.
>
> For your current problem, can you check the Ranger audits in the Ranger
> Admin page and see what is the user that is getting denied?
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 11:36 AM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi Bosco!
>
> Same issue after following your instruction. Is it possible to run all
> services using root user without conflicts? that will be easy to manage and
> understand at initial stage.
>
> Thanks
>
> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org>
> wrote:
>
>> If you are using “root”, then you should provide the user “root” the full
>> permission. You can do that by going to the Hbase repo and pick the default
>> policy with “*,*,*” and add user “root” to it.
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 11:18 AM
>> To: <us...@ranger.incubator.apache.org>
>>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Hi Ramesh!
>>
>> I started hbase services using hbase user but facing the same issue.
>>
>>
>>
>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
>> wrote:
>>
>>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>>> secondary name will be hdfs, respective core components of hadoop will have
>>> it owner user who will be running the services. Refer the documentation in
>>> apache.
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Sunday, October 11, 2015 at 10:51 AM
>>> To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
>>> >
>>> Subject: Re: Issue while enabling hbase plugin
>>>
>>> Thanks Ramesh.
>>>
>>> But what about other services like zookeeper, hadoop etc
>>>
>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
>>> wrote:
>>>
>>>> Aneela,
>>>>
>>>> Are you starting the hbase master / region server as “root” user, it
>>>> should be “hbase” user who has the necessary permission to do so. So after
>>>> enabling ranger hbase plugin start the services as “hbase” user
>>>>
>>>> Regards,
>>>> Ramesh
>>>>
>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>>> wrote:
>>>>
>>>> Hi!
>>>>
>>>> I am trying to enable hbase plugin but getting following exception when
>>>> i start hbase
>>>>
>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>>> procedure.CreateTableProcedure: Failed rollback attempt
>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>>> Insufficient permissions for user ‘root',action: delete,
>>>> tableName:hbase:meta, family:info, column:*
>>>> * at
>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>>> * at
>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>>> * at
>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>>> * at
>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>>> * at
>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>>> * at
>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>>> * at
>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>>
>>>>
>>>>
>>>> *Any suggestion for me?*
>>>>
>>>> *thanks*
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE
>>>> NOTICE: This message is intended for the use of the individual or
>>>> entity to which it is addressed and may contain information that is
>>>> confidential, privileged and exempt from disclosure under applicable law.
>>>> If the reader of this message is not the intended recipient, you are hereby
>>>> notified that any printing, copying, dissemination, distribution,
>>>> disclosure or forwarding of this communication is strictly prohibited. If
>>>> you have received this communication in error, please contact the sender
>>>> immediately and delete it from your system. Thank You.
>>>
>>>
>>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network.
For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied?
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:36 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Bosco!
Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Bosco!
Same issue after following your instruction. Is it possible to run all
services using root user without conflicts? that will be easy to manage and
understand at initial stage.
Thanks
On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
> If you are using “root”, then you should provide the user “root” the full
> permission. You can do that by going to the Hbase repo and pick the default
> policy with “*,*,*” and add user “root” to it.
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 11:18 AM
> To: <us...@ranger.incubator.apache.org>
>
> Subject: Re: Issue while enabling hbase plugin
>
> Hi Ramesh!
>
> I started hbase services using hbase user but facing the same issue.
>
>
>
> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com>
> wrote:
>
>> Zookeeper will be user “zookeeper” and hdfs service like namenode,
>> secondary name will be hdfs, respective core components of hadoop will have
>> it owner user who will be running the services. Refer the documentation in
>> apache.
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Sunday, October 11, 2015 at 10:51 AM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: Issue while enabling hbase plugin
>>
>> Thanks Ramesh.
>>
>> But what about other services like zookeeper, hadoop etc
>>
>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
>> wrote:
>>
>>> Aneela,
>>>
>>> Are you starting the hbase master / region server as “root” user, it
>>> should be “hbase” user who has the necessary permission to do so. So after
>>> enabling ranger hbase plugin start the services as “hbase” user
>>>
>>> Regards,
>>> Ramesh
>>>
>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>>> wrote:
>>>
>>> Hi!
>>>
>>> I am trying to enable hbase plugin but getting following exception when
>>> i start hbase
>>>
>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>>> procedure.CreateTableProcedure: Failed rollback attempt
>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>>> Insufficient permissions for user ‘root',action: delete,
>>> tableName:hbase:meta, family:info, column:*
>>> * at
>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>>> * at
>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>>> * at
>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>>> * at
>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>>> * at
>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>>> * at
>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>>> * at
>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>>
>>>
>>>
>>> *Any suggestion for me?*
>>>
>>> *thanks*
>>>
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to which it is addressed and may contain information that is confidential,
>>> privileged and exempt from disclosure under applicable law. If the reader
>>> of this message is not the intended recipient, you are hereby notified that
>>> any printing, copying, dissemination, distribution, disclosure or
>>> forwarding of this communication is strictly prohibited. If you have
>>> received this communication in error, please contact the sender immediately
>>> and delete it from your system. Thank You.
>>
>>
>>
>
Re: Issue while enabling hbase plugin
Posted by Don Bosco Durai <bo...@apache.org>.
If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it.
Thanks
Bosco
From: Aneela Saleem
Reply-To: <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 11:18 AM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Ramesh!
I started hbase services using hbase user but facing the same issue.
On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
> Zookeeper will be user “zookeeper” and hdfs service like namenode,
> secondary name will be hdfs, respective core components of hadoop will have
> it owner user who will be running the services. Refer the documentation in
> apache.
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Sunday, October 11, 2015 at 10:51 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: Issue while enabling hbase plugin
>
> Thanks Ramesh.
>
> But what about other services like zookeeper, hadoop etc
>
> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>
> wrote:
>
>> Aneela,
>>
>> Are you starting the hbase master / region server as “root” user, it
>> should be “hbase” user who has the necessary permission to do so. So after
>> enabling ranger hbase plugin start the services as “hbase” user
>>
>> Regards,
>> Ramesh
>>
>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>> Hi!
>>
>> I am trying to enable hbase plugin but getting following exception when i
>> start hbase
>>
>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
>> procedure.CreateTableProcedure: Failed rollback attempt
>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
>> Insufficient permissions for user ‘root',action: delete,
>> tableName:hbase:meta, family:info, column:*
>> * at
>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
>> * at
>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
>> * at
>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
>> * at
>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
>> * at
>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
>> * at
>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
>> * at
>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>>
>>
>>
>> *Any suggestion for me?*
>>
>> *thanks*
>>
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE
>> NOTICE: This message is intended for the use of the individual or entity
>> to which it is addressed and may contain information that is confidential,
>> privileged and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any printing, copying, dissemination, distribution, disclosure or
>> forwarding of this communication is strictly prohibited. If you have
>> received this communication in error, please contact the sender immediately
>> and delete it from your system. Thank You.
>
>
>
Re: Issue while enabling hbase plugin
Posted by Ramesh Mani <rm...@hortonworks.com>.
Zookeeper will be user "zookeeper" and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache.
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Sunday, October 11, 2015 at 10:51 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Issue while enabling hbase plugin
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com>> wrote:
Aneela,
Are you starting the hbase master / region server as "root" user, it should be "hbase" user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as "hbase" user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com>> wrote:
Hi!
I am trying to enable hbase plugin but getting following exception when i start hbase
2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'root',action: delete, tableName:hbase:meta, family:info, column:
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
Any suggestion for me?
thanks
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Aneela Saleem <an...@platalytics.com>.
Thanks Ramesh.
But what about other services like zookeeper, hadoop etc
On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <rm...@hortonworks.com> wrote:
> Aneela,
>
> Are you starting the hbase master / region server as “root” user, it
> should be “hbase” user who has the necessary permission to do so. So after
> enabling ranger hbase plugin start the services as “hbase” user
>
> Regards,
> Ramesh
>
> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
>
> Hi!
>
> I am trying to enable hbase plugin but getting following exception when i
> start hbase
>
> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0]
> procedure.CreateTableProcedure: Failed rollback attempt
> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace*
> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException:
> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException:
> Insufficient permissions for user ‘root',action: delete,
> tableName:hbase:meta, family:info, column:*
> * at
> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)*
> * at
> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)*
> * at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)*
> * at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)*
> * at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)*
> * at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)*
> * at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)*
>
>
>
> *Any suggestion for me?*
>
> *thanks*
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
Re: Issue while enabling hbase plugin
Posted by Ramesh Mani <rm...@hortonworks.com>.
Aneela,
Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user
Regards,
Ramesh
On Oct 11, 2015, at 7:40 AM, Aneela Saleem <an...@platalytics.com> wrote:
> Hi!
>
> I am trying to enable hbase plugin but getting following exception when i start hbase
>
> 2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace
> org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column:
> at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)
> at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)
> at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)
>
>
>
> Any suggestion for me?
>
> thanks
>
>
>
>
--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.