Have you read http://hbase.apache.org/book.html#d3314e6312 ?
For secure hbase deployments I worked with, kerberos has been the norm. Secure hbase experts may have some insight. Cheers On Wed, Jul 2, 2014 at 6:47 PM, Weichen YE <[email protected]> wrote: > Hi, Ted, > > Thank you for you reply. I`m using hbase-0.94.2-cdh4.2.0. > I have two HMasters for HA. Once the active HMaster restart or > failover, my user will lose its permission to create new table. It seems > that, by the shell command "grant 'username','RWCXA' ", users get only some > kind of "temporary permission" for "C" and "A" in global scope. > I know if the user is set as "hbase.superuser" in hbase-site.xml. it > will get a permanent permission in global scope. But what I want is just to > give a user the permission to create a new table, so I just use '"grant > 'user', 'RWC'" to do this. It is really strange that user lose its create > permission after the active HMaster restart. > > btw, this is a part of my hbase-site.xml: > > <property> > <name>hbase.security.authentication</name> > <value>simple</value> > </property> > <property> > <name>hbase.security.authorization</name> > <value>true</value> > </property> > <property> > <name>hbase.coprocessor.master.classes</name> > <value>org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > <property> > <name>hbase.coprocessor.region.classes</name> > > > <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > <property> > <name>hbase.rpc.engine</name> > <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> > </property> > > > > > > > 2014-07-03 0:07 GMT+08:00 Ted Yu <[email protected]>: > > > What specific hbase release are you using ? > > Was there only one HMaster before the restart ? > > > > Cheers > > > > > > On Tue, Jul 1, 2014 at 10:57 PM, Weichen YE <[email protected]> > > wrote: > > > > > Hi, all, > > > > > > I have been using HBase 0.94 . Now I use the following hbase shell > > command > > > to give the user "Tom" the create and admin permission in global scope: > > > > > > hbase(main):001:0> grant 'Tom','RWCXA' > > > > > > After that, the user 'Tom' have the permission to create new table, we > > > create a new table 'Tom-Table'. now in "_acl_" table we can see the > > > following two rows > > > > > > ROW COLUMN+CELL > > > > > > > > > Tom-Table column=l:Tom, > > timestamp=1404279643504, > > > value=RWXCA > > > > > > _acl_ column=l:Tom, > > > timestamp=1404279584901, value=RWCXA > > > > > > Now the problem is, after I restart the HMaster, the user 'Tom' lose > the > > > ability to create a new table. The error log shows:"ERROR: > > > org.apache.hadoop.hbase.security.AccessDeniedException: > > > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > > > permissions for user 'Tom' (global, action=CREATE)" > > > > > > So, it seems that user "Tom" can not keep the create permission in > global > > > scope after HMaster restarted. Anyone knows how to fix this? Or is > there > > > another way to give a user permanent create permission in global scope? > > > > > >
