Hi Bosco! therse are plugins audits. it seems that hbase master and region server are being sync correctly.
Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus10/12/2015 12:19:17 AMhadoopdev [email protected] synced to plugin10/11/2015 11:36:15 PMhbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin10/11/2015 11:36:07 PMhbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin10/11/2015 11:35:12 PMhbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin10/11/2015 11:34:12 PMhbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]> wrote: > Ok, this is good. It is getting denied at the HDFS level. > > From the HDFS service in Ranger Admin, create a new policy for /hbase > (recursive) and give all permission to user “hbase”. > > Let me know how it goes. > > BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You > can check the Audit->Plugins to see whether both Hbase Master and > RegionServers are connecting and also in the Audit->Access, filter by > service type “Hbase”. > > Thanks > > Bosco > > > From: Aneela Saleem > Reply-To: <[email protected]> > Date: Sunday, October 11, 2015 at 12:32 PM > > To: <[email protected]> > Subject: Re: Issue while enabling hbase plugin > > Hi Bosco! > > Audits show that it denying hbase user for writing into hadoop. audits are > as follow > > ServicePolicy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess > EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase > hadoopdev > hdfs > /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase > hadoopdev > hdfs > /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase > hadoopdev > hdfs > /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed > hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase > hadoopdev > hdfs > /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 > 11:05:11 PMhbase > hadoopdev > hdfs > /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 > 11:05:10 PMhbase > hadoopdev > hdfs > /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM > hbase > hadoopdev > hdfs > /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:53 > PMhbase > hadoopdev > hdfs > /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase > hadoopdev > hdfs > /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase > hadoopdev > hdfs > /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 > > > > On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> > wrote: > >> Yes, you can run as root if you want to. In production it is a good >> practice to have separate users, so you can manage the access to the shell >> accordingly. Also, generally it is not recommended to run user applications >> at user “root”. A rogue application can cause unimaginable damage in your >> network. >> >> For your current problem, can you check the Ranger audits in the Ranger >> Admin page and see what is the user that is getting denied? >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem >> Reply-To: <[email protected]> >> Date: Sunday, October 11, 2015 at 11:36 AM >> >> To: <[email protected]> >> Subject: Re: Issue while enabling hbase plugin >> >> Hi Bosco! >> >> Same issue after following your instruction. Is it possible to run all >> services using root user without conflicts? that will be easy to manage and >> understand at initial stage. >> >> Thanks >> >> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> >> wrote: >> >>> If you are using “root”, then you should provide the user “root” the >>> full permission. You can do that by going to the Hbase repo and pick the >>> default policy with “*,*,*” and add user “root” to it. >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem >>> Reply-To: <[email protected]> >>> Date: Sunday, October 11, 2015 at 11:18 AM >>> To: <[email protected]> >>> >>> Subject: Re: Issue while enabling hbase plugin >>> >>> Hi Ramesh! >>> >>> I started hbase services using hbase user but facing the same issue. >>> >>> >>> >>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]> >>> wrote: >>> >>>> Zookeeper will be user “zookeeper” and hdfs service like namenode, >>>> secondary name will be hdfs, respective core components of hadoop will have >>>> it owner user who will be running the services. Refer the documentation in >>>> apache. >>>> >>>> From: Aneela Saleem <[email protected]> >>>> Reply-To: "[email protected]" < >>>> [email protected]> >>>> Date: Sunday, October 11, 2015 at 10:51 AM >>>> To: "[email protected]" < >>>> [email protected]> >>>> Subject: Re: Issue while enabling hbase plugin >>>> >>>> Thanks Ramesh. >>>> >>>> But what about other services like zookeeper, hadoop etc >>>> >>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]> >>>> wrote: >>>> >>>>> Aneela, >>>>> >>>>> Are you starting the hbase master / region server as “root” user, it >>>>> should be “hbase” user who has the necessary permission to do so. So after >>>>> enabling ranger hbase plugin start the services as “hbase” user >>>>> >>>>> Regards, >>>>> Ramesh >>>>> >>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> >>>>> wrote: >>>>> >>>>> Hi! >>>>> >>>>> I am trying to enable hbase plugin but getting following exception >>>>> when i start hbase >>>>> >>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] >>>>> procedure.CreateTableProcedure: Failed rollback attempt >>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace* >>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: >>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: >>>>> Insufficient permissions for user ‘root',action: delete, >>>>> tableName:hbase:meta, family:info, column:* >>>>> * at >>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)* >>>>> * at >>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)* >>>>> * at >>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)* >>>>> * at >>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)* >>>>> * at >>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)* >>>>> * at >>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)* >>>>> * at >>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)* >>>>> >>>>> >>>>> >>>>> *Any suggestion for me?* >>>>> >>>>> *thanks* >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> CONFIDENTIALITY NOTICE >>>>> NOTICE: This message is intended for the use of the individual or >>>>> entity to which it is addressed and may contain information that is >>>>> confidential, privileged and exempt from disclosure under applicable law. >>>>> If the reader of this message is not the intended recipient, you are >>>>> hereby >>>>> notified that any printing, copying, dissemination, distribution, >>>>> disclosure or forwarding of this communication is strictly prohibited. If >>>>> you have received this communication in error, please contact the sender >>>>> immediately and delete it from your system. Thank You. >>>> >>>> >>>> >>> >> >
