Re: Trying to create hbase tables after enabling Kerberos with Ambari

[Robert Levas]

Hi Roberta…

It seems like you need an auth-to-local run set up to translate 
trafodion-robertaclus...@trafkdc.com to trafodion.

To can do this by editing the hadoop.security.auth_to_local property under 
HDFS->Configs->Advanced->Advanced core-site.

Adding the following rule should do the trick:

RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//

You will need to add this rule to the ruleset before/above less general rules 
like

RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//

After adding this rule, save the config and restart the recommended services.

I hope this helps,

Rob



From: Roberta Marton <roberta.mar...@esgyn.com<mailto:roberta.mar...@esgyn.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" 
<user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Monday, March 21, 2016 at 2:08 PM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" 
<user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Trying to create hbase tables after enabling Kerberos with Ambari

I am trying to install Kerberos on top of my Hortonworks installation.  I have 
tried this with both versions 2.2 and 2.3 and get similar results.
After I enable Kerberos, I create a Linux user called trafodion and grant this 
user all HBase permissions.
I connect as trafodion but get permission errors when I try to create a table.

Details:

[trafodion@myhost ~]$ whoami
trafodion

[trafodion@myhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: 
trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com>

Valid starting     Expires            Service principal
03/21/16 16:39:33  03/22/16 16:39:33  
krbtgt/trafkdc....@trafkdc.com<mailto:krbtgt/trafkdc....@trafkdc.com>
        renew until 03/21/16 16:39:33

hbase shell

hbase(main):002:0> whoami
trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com>(auth:KERBEROS)OIw
2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No groups 
available for user trafodion-robertaCluster

hbase(main):003:0> user_permission
User                            Table,Family,Qualifier:Permission
trafodion                      hbase:acl,,: [Permission: 
actions=READ,WRITE,EXEC,CREATE,ADMIN]
ambari-qa                      hbase:acl,,: [Permission: 
actions=READ,WRITE,EXEC,CREATE,ADMIN]
2 row(s) in 1.7630 seconds

hbase(main):004:0> create 't1', 'f1', 'f2'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)

I am able to perform ‘user_permission’ but not ‘create’

Any suggestion on how to proceed?

    Roberta