Additionally, it seems like the hbase.superuser ACL can only take a single username, even if you don't include any groups. All usernames beyond the first will be ignored.
On Mon, Feb 24, 2014 at 4:12 PM, Alex Nastetsky <[email protected]>wrote: > My understanding of the hbase.superuser ACL is that members of a user > group specified here (prefixed with @) will have full rights on HBase. > However, it seems that the ADMIN right is missing. > > Below, I have an example of using HBase as user "anastetsky" who belongs > to a group specified in hbase.superuser. No explicit permissions have been > granted to any user. I attempt to grant myself permissions (an ADMIN > action), which fails. I then create a table "foo" to show that I still have > "create" rights, because I belong to a superuser group. Members of the > group can also "write" and "read", but not "admin". > > --- > > hbase(main):001:0> user_permission > User > Table,Family,Qualifier:Permission > SLF4J: Class path contains multiple SLF4J bindings. > SLF4J: Found binding in > [jar:file:/usr/lib/hadoop/lib/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class] > SLF4J: Found binding in > [jar:file:/usr/lib/zookeeper/lib/slf4j-log4j12-1.6.1.jar!/org/slf4j/impl/StaticLoggerBinder.class] > SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an > explanation. > 0 row(s) in 4.3950 seconds > > hbase(main):002:0> grant 'anastetsky','RWC' > > ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions ([email protected], scope=GLOBAL, > family=, action=ADMIN) > at > org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:356) > at > org.apache.hadoop.hbase.security.access.AccessController.grant(AccessController.java:1272) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService$1.grant(AccessControlProtos.java:9933) > at > org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos$AccessControlService.callMethod(AccessControlProtos.java:10097) > at > org.apache.hadoop.hbase.regionserver.HRegion.execService(HRegion.java:5102) > at > org.apache.hadoop.hbase.regionserver.HRegionServer.execService(HRegionServer.java:3198) > at > org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$2.callBlockingMethod(ClientProtos.java:26933) > at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2175) > at > org.apache.hadoop.hbase.ipc.RpcServer$Handler.run(RpcServer.java:1879) > > Here is some help for this command: > Grant users specific rights. > Syntax : grant <user> <permissions> [<table> [<column family> [<column > qualifier>]] > > permissions is either zero or more letters from the set "RWXCA". > READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A') > > For example: > > hbase> grant 'bobsmith', 'RWXCA' > hbase> grant 'bobsmith', 'RW', 't1', 'f1', 'col1' > > > hbase(main):003:0> create 'foo','bar' > 0 row(s) in 1.0650 seconds > > > Thanks in advance, > Alex. > >
