Hi, Ted,
Thank you for you reply. I`m using hbase-0.94.2-cdh4.2.0.
I have two HMasters for HA. Once the active HMaster restart or
failover, my user will lose its permission to create new table. It seems
that, by the shell command "grant 'username','RWCXA' ", users get only some
kind of "temporary permission" for "C" and "A" in global scope.
I know if the user is set as "hbase.superuser" in hbase-site.xml. it
will get a permanent permission in global scope. But what I want is just to
give a user the permission to create a new table, so I just use '"grant
'user', 'RWC'" to do this. It is really strange that user lose its create
permission after the active HMaster restart.
btw, this is a part of my hbase-site.xml:
<property>
<name>hbase.security.authentication</name>
<value>simple</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
2014-07-03 0:07 GMT+08:00 Ted Yu <[email protected]>:
> What specific hbase release are you using ?
> Was there only one HMaster before the restart ?
>
> Cheers
>
>
> On Tue, Jul 1, 2014 at 10:57 PM, Weichen YE <[email protected]>
> wrote:
>
> > Hi, all,
> >
> > I have been using HBase 0.94 . Now I use the following hbase shell
> command
> > to give the user "Tom" the create and admin permission in global scope:
> >
> > hbase(main):001:0> grant 'Tom','RWCXA'
> >
> > After that, the user 'Tom' have the permission to create new table, we
> > create a new table 'Tom-Table'. now in "_acl_" table we can see the
> > following two rows
> >
> > ROW COLUMN+CELL
> >
> >
> > Tom-Table column=l:Tom,
> timestamp=1404279643504,
> > value=RWXCA
> >
> > _acl_ column=l:Tom,
> > timestamp=1404279584901, value=RWCXA
> >
> > Now the problem is, after I restart the HMaster, the user 'Tom' lose the
> > ability to create a new table. The error log shows:"ERROR:
> > org.apache.hadoop.hbase.security.AccessDeniedException:
> > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
> > permissions for user 'Tom' (global, action=CREATE)"
> >
> > So, it seems that user "Tom" can not keep the create permission in global
> > scope after HMaster restarted. Anyone knows how to fix this? Or is there
> > another way to give a user permanent create permission in global scope?
> >
>
