bq. cluster enabled for secure HBase with kerberos I assume your hdfs cluster has also been kerberized.
Please pastebin the complete hbase-site.xml Please turn on DEBUG logging and pastebin the region server log which hosts visibilityTest BTW if possible, can you deploy 1.1.2 ? Cheers On Mon, Oct 12, 2015 at 1:14 PM, Suresh Subbiah <[email protected]> wrote: > Hi Ted, > > I understand that using VisibilityController on an unsercure cluster is of > limited value. I am still in the early stages of my task. I am logged in as > HBase super user and was simply checking if rows could be accessed. > > With my colleague's help we did get the cluster enabled for secure HBase > with kerberos. I repeated the test to get the same result. Our cluster is > on 1.0. Do you think I may be doing something incorrectly? What information > can I send to help ensure that I have not made a mistake. > > Thanks > Suresh > > hbase shell > 15/10/12 14:35:09 INFO Configuration.deprecation: hadoop.native.lib is > deprecated. Instead, use io.native.lib.available > HBase Shell; enter 'help<RETURN>' for list of supported commands. > Type "exit<RETURN>" to leave the HBase Shell > Version 1.0.0-cdh5.4.4, rUnknown, Mon Jul 6 16:59:55 PDT 2015 > > hbase(main):001:0> create 'visibilityTest', 'f1' > 0 row(s) in 0.7780 seconds > > => Hbase::Table - visibilityTest > hbase(main):002:0> put 'visibilityTest', 'r1', 'f1:c1', 'value1' > 0 row(s) in 0.1300 seconds > > hbase(main):003:0> deleteall 'visibilityTest', 'r1' > 0 row(s) in 0.0330 seconds > > hbase(main):004:0> put 'visibilityTest', 'r1', 'f1:c1', 'value2' > 0 row(s) in 0.0150 seconds > > hbase(main):005:0> scan 'visibilityTest' > ROW COLUMN+CELL > > 0 row(s) in 0.0550 seconds > > hbase(main):006:0> scan 'visibilityTest', {RAW=>TRUE} > ROW COLUMN+CELL > > r1 column=f1:, timestamp=1444660561138, > type=DeleteFamily > r1 column=f1:c1, timestamp=1444660576868, value=value2 > > 1 row(s) in 0.0370 seconds > > ----------------------------------------------------- > <property> > <name>hbase.coprocessor.master.classes</name> > > > <value>org.apache.hadoop.hbase.security.visibility.VisibilityController,org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > > <property> > <name>hbase.coprocessor.region.classes</name> > > > <value>org.apache.hadoop.hbase.security.visibility.VisibilityController,org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > > -------------------------------------------------------- > > > > > On Sat, Oct 10, 2015 at 9:51 PM, Ted Yu <[email protected]> wrote: > > > To my understanding, VisibilityController is used in a secure cluster. > > Without security, how do you enforce that only select user(s) can access > > certain cells ? > > > > Please see the following sections in refguide: > > > > http://hbase.apache.org/book.html#hbase.secure.configuration > > > > > http://hbase.apache.org/book.html#_server_side_configuration_for_simple_user_access_operation > > > > On Sat, Oct 10, 2015 at 7:40 PM, Suresh Subbiah < > > [email protected]> > > wrote: > > > > > Hi Ted, > > > > > > Thank you for your response. > > > I found a machine with HBase 1.0.0 and tried the script with all 6 > > coprocs > > > you listed (2 in master, and 4 in RS). I still do not see the row after > > the > > > second scan. > > > > > > However my cluster is not secure enabled I think. Is that necessary? I > am > > > not sure how to do that, though I can ask other members of my team and > > try > > > it if that will help. > > > > > > It will be ideal if we could get this to work on a 1.0 based version. > > > Moving to 1.1 will take more time since we have some dependencies. > > > > > > Thank you > > > Suresh > > > > > > 15/10/10 19:20:44 INFO Configuration.deprecation: hadoop.native.lib is > > > deprecated. Instead, use io.native.lib.available > > > HBase Shell; enter 'help<RETURN>' for list of supported commands. > > > Type "exit<RETURN>" to leave the HBase Shell > > > Version 1.0.0-cdh5.4.4, rUnknown, Mon Jul 6 16:59:55 PDT 2015 > > > > > > *hbase(main):001:0> create 'visibilityTest', 'f1' * > > > *0 row(s) in 0.5460 seconds* > > > > > > *=> Hbase::Table - visibilityTest* > > > *hbase(main):002:0> put 'visibilityTest', 'r1', 'f1:c1', 'value1' * > > > *0 row(s) in 0.0670 seconds* > > > > > > *hbase(main):003:0> deleteall 'visibilityTest', 'r1' * > > > *0 row(s) in 0.0090 seconds* > > > > > > *hbase(main):004:0> put 'visibilityTest', 'r1', 'f1:c1', 'value2'* > > > *0 row(s) in 0.0040 seconds* > > > > > > *hbase(main):005:0> scan 'visibilityTest'* > > > *ROW COLUMN+CELL > > > * > > > *0 row(s) in 0.0160 seconds* > > > > > > *hbase(main):006:0> scan 'visibilityTest', {RAW=>TRUE}* > > > *ROW COLUMN+CELL > > > * > > > * r1 column=f1:, timestamp=1444530064056, > > > type=DeleteFamily * > > > * r1 column=f1:c1, timestamp=1444530064084, > > value=value2 > > > * > > > *1 row(s) in 0.0580 seconds* > > > > > > *hbase(main):007:0> exit* > > > > > > > > > On Sat, Oct 10, 2015 at 7:26 PM, Ted Yu <[email protected]> wrote: > > > > > > > I tried the sequence of commands from your example on a secure 1.1.2 > > > > cluster with the following config: > > > > > > > > <property> > > > > <name>hbase.coprocessor.master.classes</name> > > > > > > > > > > > > > > <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController</value> > > > > </property> > > > > <property> > > > > <name>hbase.coprocessor.region.classes</name> > > > > > > > > > > > > > > <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController</value> > > > > </property> > > > > > > > > I got: > > > > > > > > hbase(main):005:0> scan 'visibilityTest' > > > > ROW COLUMN+CELL > > > > r1 column=f1:c1, > > > > timestamp=1444522994981, value=value2 > > > > 1 row(s) in 0.1020 seconds > > > > > > > > Can you try again with 0.98.15 release whose vote passed Friday to > see > > if > > > > what you observed can be reproduced ? > > > > > > > > Cheers > > > > > > > > On Sat, Oct 10, 2015 at 3:58 PM, Suresh Subbiah < > > > > [email protected]> > > > > wrote: > > > > > > > > > Hi, > > > > > > > > > > When I run the following script from hbase shell the last scan > > returns > > > no > > > > > rows > > > > > > > > > > create 'visibilityTest', 'f1' > > > > > put 'visibilityTest', 'r1', 'f1:c1', 'value1' > > > > > deleteall 'visibilityTest', 'r1' > > > > > put 'visibilityTest', 'r1', 'f1:c1', 'value2' > > > > > scan 'visibilityTest' > > > > > > > > > > *hbase(main):013:0> scan 'visibilityTest'* > > > > > *ROW COLUMN+CELL > > > > > * > > > > > *0 row(s) in 0.0100 seconds* > > > > > > > > > > > > > > > However if I run > > > > > scan 'visibilityTest' , {RAW=>TRUE} > > > > > > > > > > I see that the second row that I put is indeed there and has a > > > timestamp > > > > > value higher that the previous delete > > > > > > > > > > *hbase(main):014:0> scan 'visibilityTest', {RAW=>TRUE}* > > > > > *ROW COLUMN+CELL > > > > > * > > > > > * r1 column=f1:, timestamp=1444516578296, > > > > > type=DeleteFamily * > > > > > * r1 column=f1:c1, timestamp=1444516647655, > > > > value=value2 > > > > > * > > > > > *1 row(s) in 0.0110 seconds* > > > > > > > > > > > > > > > > > > > > This is on hbase 0.98.6. Problem is seen only when hbase-site.xml > > has > > > > > these lines. No other coprocessors were used during this test. > > > > > > > > > > <property> > > > > > <name>hbase.coprocessor.region.classes</name> > > > > > > > > > > > > > > > > > > > > > > > > > <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value> > > > > > </property> > > > > > <property> > > > > > <name>hbase.coprocessor.master.classes</name> > > > > > > > > > > > > > > > > > > > > > > > > > <value>org.apache.hadoop.hbase.security.visibility.VisibilityController</value> > > > > > </property> > > > > > <property> > > > > > <name>hfile.format.version</name> > > > > > <value>3</value> > > > > > </property> > > > > > > > > > > Any suggestions of what I may be doing incorrectly? Or is this a > bug? > > > > > > > > > > Thank you > > > > > Suresh > > > > > > > > > > > > > > >
