Hi! Issue is not solved by adding permissions to the user hbase. On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <[email protected]> wrote:
> For now, the sync tool just synchronizes with one of the source. You > should be able to add the unix users manually. > > Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User. > > You can add the user you want to. You can give any random password. It is > not used. Select “Role” as User. > > After this you should be able to use these users for giving permissions. > > Bosco > > > From: Aneela Saleem > Reply-To: <[email protected]> > Date: Sunday, October 11, 2015 at 12:51 PM > > To: <[email protected]> > Subject: Re: Issue while enabling hbase plugin > > Hi Bosco! > > One more thing i am syncing users with ldap, not unix users. How can i > apply permissions for unix users? can we sync users from ldap and unix both > at a time? > > On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <[email protected]> > wrote: > >> Hi Bosco! >> therse are plugins audits. it seems that hbase master and region server >> are being sync correctly. >> >> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp >> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev >> [email protected] synced to >> plugin10/11/2015 11:36:15 PMhbasedev >> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >> synced to plugin10/11/2015 11:36:07 PMhbasedev >> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >> synced to plugin10/11/2015 11:35:12 PMhbasedev >> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >> synced to plugin10/11/2015 11:34:12 PMhbasedev >> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >> synced to plugin >> >> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]> >> wrote: >> >>> Ok, this is good. It is getting denied at the HDFS level. >>> >>> From the HDFS service in Ranger Admin, create a new policy for /hbase >>> (recursive) and give all permission to user “hbase”. >>> >>> Let me know how it goes. >>> >>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You >>> can check the Audit->Plugins to see whether both Hbase Master and >>> RegionServers are connecting and also in the Audit->Access, filter by >>> service type “Hbase”. >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem >>> Reply-To: <[email protected]> >>> Date: Sunday, October 11, 2015 at 12:32 PM >>> >>> To: <[email protected]> >>> Subject: Re: Issue while enabling hbase plugin >>> >>> Hi Bosco! >>> >>> Audits show that it denying hbase user for writing into hadoop. audits >>> are as follow >>> >>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess >>> TypeResultAccess >>> EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase >>> hadoopdev >>> hdfs >>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed >>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 >>> --10/11/2015 11:05:11 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl127.0.0.11 >>> --10/11/2015 11:05:10 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM >>> hbase >>> hadoopdev >>> hdfs >>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 >>> 11:00:53 PMhbase >>> hadoopdev >>> hdfs >>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase >>> hadoopdev >>> hdfs >>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase >>> hadoopdev >>> hdfs >>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 >>> >>> >>> >>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> >>> wrote: >>> >>>> Yes, you can run as root if you want to. In production it is a good >>>> practice to have separate users, so you can manage the access to the shell >>>> accordingly. Also, generally it is not recommended to run user applications >>>> at user “root”. A rogue application can cause unimaginable damage in your >>>> network. >>>> >>>> For your current problem, can you check the Ranger audits in the Ranger >>>> Admin page and see what is the user that is getting denied? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem >>>> Reply-To: <[email protected]> >>>> Date: Sunday, October 11, 2015 at 11:36 AM >>>> >>>> To: <[email protected]> >>>> Subject: Re: Issue while enabling hbase plugin >>>> >>>> Hi Bosco! >>>> >>>> Same issue after following your instruction. Is it possible to run all >>>> services using root user without conflicts? that will be easy to manage and >>>> understand at initial stage. >>>> >>>> Thanks >>>> >>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> >>>> wrote: >>>> >>>>> If you are using “root”, then you should provide the user “root” the >>>>> full permission. You can do that by going to the Hbase repo and pick the >>>>> default policy with “*,*,*” and add user “root” to it. >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Aneela Saleem >>>>> Reply-To: <[email protected]> >>>>> Date: Sunday, October 11, 2015 at 11:18 AM >>>>> To: <[email protected]> >>>>> >>>>> Subject: Re: Issue while enabling hbase plugin >>>>> >>>>> Hi Ramesh! >>>>> >>>>> I started hbase services using hbase user but facing the same issue. >>>>> >>>>> >>>>> >>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]> >>>>> wrote: >>>>> >>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode, >>>>>> secondary name will be hdfs, respective core components of hadoop will >>>>>> have >>>>>> it owner user who will be running the services. Refer the documentation >>>>>> in >>>>>> apache. >>>>>> >>>>>> From: Aneela Saleem <[email protected]> >>>>>> Reply-To: "[email protected]" < >>>>>> [email protected]> >>>>>> Date: Sunday, October 11, 2015 at 10:51 AM >>>>>> To: "[email protected]" < >>>>>> [email protected]> >>>>>> Subject: Re: Issue while enabling hbase plugin >>>>>> >>>>>> Thanks Ramesh. >>>>>> >>>>>> But what about other services like zookeeper, hadoop etc >>>>>> >>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Aneela, >>>>>>> >>>>>>> Are you starting the hbase master / region server as “root” user, >>>>>>> it should be “hbase” user who has the necessary permission to do so. So >>>>>>> after enabling ranger hbase plugin start the services as “hbase” user >>>>>>> >>>>>>> Regards, >>>>>>> Ramesh >>>>>>> >>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Hi! >>>>>>> >>>>>>> I am trying to enable hbase plugin but getting following exception >>>>>>> when i start hbase >>>>>>> >>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] >>>>>>> procedure.CreateTableProcedure: Failed rollback attempt >>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace* >>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: >>>>>>> Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: >>>>>>> Insufficient permissions for user ‘root',action: delete, >>>>>>> tableName:hbase:meta, family:info, column:* >>>>>>> * at >>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)* >>>>>>> * at >>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)* >>>>>>> * at >>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)* >>>>>>> * at >>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)* >>>>>>> * at >>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)* >>>>>>> * at >>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)* >>>>>>> * at >>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)* >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Any suggestion for me?* >>>>>>> >>>>>>> *thanks* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> CONFIDENTIALITY NOTICE >>>>>>> NOTICE: This message is intended for the use of the individual or >>>>>>> entity to which it is addressed and may contain information that is >>>>>>> confidential, privileged and exempt from disclosure under applicable >>>>>>> law. >>>>>>> If the reader of this message is not the intended recipient, you are >>>>>>> hereby >>>>>>> notified that any printing, copying, dissemination, distribution, >>>>>>> disclosure or forwarding of this communication is strictly prohibited. >>>>>>> If >>>>>>> you have received this communication in error, please contact the sender >>>>>>> immediately and delete it from your system. Thank You. >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
