Kevin Odell created HBASE-7860:
----------------------------------
Summary: HBase authorization is reliant on Kerberos
Key: HBASE-7860
URL: https://issues.apache.org/jira/browse/HBASE-7860
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.94.4
Reporter: Kevin Odell
We are currently unable to use ACLs without having Kerberos setup. That is a
pain for testing and environments that have other authentication methods that
are not Kerberos-centric.
safety valve:
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
[root@cdh4-oozie-1 ~]# hbase shell
hbase(main):001:0> create 't1', 'cf1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'null' (global, action=CREATE)
at
org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
at
org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
at
org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
at
org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
[root@cdh4-oozie-1 ~]# su hbase
bash-4.1$ hbase shell
hbase(main):001:0> create 't1', 'cf1'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'null' (global, action=CREATE)
at
org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
at
org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
at
org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
at
org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
It looks like we are relying on Kerberos to tell us who the user is, but since
we are not using authentication, we are just passing NULL. We should be able
to just rely on the local fs account.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
