[jira] [Commented] (HBASE-7860) HBase authorization is reliant on Kerberos

[Gary Helmling (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13579634#comment-13579634
 ] 

Gary Helmling commented on HBASE-7860:
--------------------------------------

Hi Kevin,

Make sure that configuration is present on both the client and server side (and 
restart the servers if they were previously running without it).  The error you 
posted looks like a client/server mismatch.

Also, for reference, you can look at the 
{{org.apache.hadoop.hbase.security.access.TestAccessController}} source code.  
It sets up an in-JVM mini cluster for testing authorization with 
SecureRpcEngine, but with only simple auth (no kerberos).
                
> HBase authorization is reliant on Kerberos
> ------------------------------------------
>
>                 Key: HBASE-7860
>                 URL: https://issues.apache.org/jira/browse/HBASE-7860
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.94.4
>            Reporter: Kevin Odell
>
> We are currently unable to use ACLs without having Kerberos setup.  That is a 
> pain for testing and environments that have other authentication methods that 
> are not Kerberos-centric.
> safety valve:
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> [root@cdh4-oozie-1 ~]# hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'null' (global, action=CREATE)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
>       at 
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
>       at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at 
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
>       at 
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> [root@cdh4-oozie-1 ~]# su hbase
> bash-4.1$ hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'null' (global, action=CREATE)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
>       at 
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
>       at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at 
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
>       at 
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> It looks like we are relying on Kerberos to tell us who the user is, but 
> since we are not using authentication, we are just passing NULL.  We should 
> be able to just rely on the local fs account.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira