[jira] [Commented] (HBASE-7860) HBase authorization is reliant on Kerberos

Tue, 19 Feb 2013 08:49:13 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-7860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581434#comment-13581434
 ] 

Gary Helmling commented on HBASE-7860:
--------------------------------------

Looks like this configuration was part of the security documentation, but was 
removed by HBASE-6027, to reflect the combination of SecureRpcEngine and 
WritableRpcEngine into ProtobufRpcEngine in trunk.

I think this is really an issue with having the generated ref guide on 
hbase.apache.org being built from trunk, when everyone using it is likely to be 
running 0.94 or earlier.  Have we looked into linking out to the documentation 
for each release separately, like Hadoop and some other projects do?  Would 
that be easier to do now that our site is converted over the the CMS stuff?
                
> HBase authorization is reliant on Kerberos
> ------------------------------------------
>
>                 Key: HBASE-7860
>                 URL: https://issues.apache.org/jira/browse/HBASE-7860
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.94.4
>            Reporter: Kevin Odell
>
> We are currently unable to use ACLs without having Kerberos setup.  That is a 
> pain for testing and environments that have other authentication methods that 
> are not Kerberos-centric.
> safety valve:
> <property>
>      <name>hbase.security.authorization</name>
>      <value>true</value>
> </property>
> <property>
>      <name>hbase.coprocessor.master.classes</name>
>      <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>      <name>hbase.coprocessor.region.classes</name>
>      
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> [root@cdh4-oozie-1 ~]# hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'null' (global, action=CREATE)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
>       at 
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
>       at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at 
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
>       at 
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> [root@cdh4-oozie-1 ~]# su hbase
> bash-4.1$ hbase shell
> hbase(main):001:0> create 't1', 'cf1'
> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
> permissions for user 'null' (global, action=CREATE)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:402)
>       at 
> org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:525)
>       at 
> org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:89)
>       at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1056)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at 
> org.apache.hadoop.hbase.ipc.WritableRpcEngine$Server.call(WritableRpcEngine.java:364)
>       at 
> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1345)
> It looks like we are relying on Kerberos to tell us who the user is, but 
> since we are not using authentication, we are just passing NULL.  We should 
> be able to just rely on the local fs account.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to