This is also good. Did adding the policies in HDFS resolve your issue? Thanks
Bosco From: Aneela Saleem Reply-To: <[email protected]> Date: Sunday, October 11, 2015 at 12:41 PM To: <[email protected]> Subject: Re: Issue while enabling hbase plugin Hi Bosco! therse are plugins audits. it seems that hbase master and region server are being sync correctly. Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp Response CodeStatus 10/12/2015 12:19:17 AMhadoopdevhdfs@vmubuntu2-VirtualBox-hadoopdev192.168.23.126200Policies synced to plugin 10/11/2015 11:36:15 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin 10/11/2015 11:36:07 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin 10/11/2015 11:35:12 PMhbasedevhbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin 10/11/2015 11:34:12 PMhbasedevhbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies synced to plugin On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]> wrote: Ok, this is good. It is getting denied at the HDFS level. >From the HDFS service in Ranger Admin, create a new policy for /hbase >(recursive) and give all permission to user “hbase”. Let me know how it goes. BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”. Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]> Date: Sunday, October 11, 2015 at 12:32 PM To: <[email protected]> Subject: Re: Issue while enabling hbase plugin Hi Bosco! Audits show that it denying hbase user for writing into hadoop. audits are as follow Service Policy IDEvent TimeUserName / TypeResource NameAccess TypeResultAccess EnforcerClient IPEvent Count --10/11/2015 11:11:26 PMhbasehadoopdev hdfs /READ_EXECUTEAllowedhadoop-acl127.0.0.11 --10/11/2015 11:05:11 PMhbasehadoopdev hdfs /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 --10/11/2015 11:05:11 PMhbasehadoopdev hdfs /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowedhadoop-acl127.0.0.11 --10/11/2015 11:05:11 PMhbasehadoopdev hdfs /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 --10/11/2015 11:05:11 PMhbasehadoopdev hdfs /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 --10/11/2015 11:05:10 PMhbasehadoopdev hdfs /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11 --10/11/2015 11:05:10 PMhbasehadoopdev hdfs /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11 --10/11/2015 11:00:53 PMhbasehadoopdev hdfs /READ_EXECUTEAllowedhadoop-acl127.0.0.11 --10/11/2015 11:00:40 PMhbasehadoopdev hdfs /test1WRITEDeniedhadoop-acl127.0.0.11 --10/11/2015 09:41:25 PMhbasehadoopdev hdfs /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> wrote: Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network. For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied? Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]> Date: Sunday, October 11, 2015 at 11:36 AM To: <[email protected]> Subject: Re: Issue while enabling hbase plugin Hi Bosco! Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage. Thanks On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> wrote: If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it. Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]> Date: Sunday, October 11, 2015 at 11:18 AM To: <[email protected]> Subject: Re: Issue while enabling hbase plugin Hi Ramesh! I started hbase services using hbase user but facing the same issue. On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]> wrote: Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache. From: Aneela Saleem <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Sunday, October 11, 2015 at 10:51 AM To: "[email protected]" <[email protected]> Subject: Re: Issue while enabling hbase plugin Thanks Ramesh. But what about other services like zookeeper, hadoop etc On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]> wrote: Aneela, Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user Regards, Ramesh On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> wrote: Hi! I am trying to enable hbase plugin but getting following exception when i start hbase 2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column: at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538) at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954) Any suggestion for me? thanks CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
