Can you try setting up hbase.superuser param in the hbase-site.xml to root and retry the hbase startup ?
Thanks, Selva- Sent from Outlook<http://aka.ms/Ox5hz3> On Sun, Oct 11, 2015 at 1:23 PM -0700, "Aneela Saleem" <[email protected]<mailto:[email protected]>> wrote: Hi! Issue is not solved by adding permissions to the user hbase. On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: For now, the sync tool just synchronizes with one of the source. You should be able to add the unix users manually. Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User. You can add the user you want to. You can give any random password. It is not used. Select “Role” as User. After this you should be able to use these users for giving permissions. Bosco From: Aneela Saleem Reply-To: <[email protected]<mailto:[email protected]>> Date: Sunday, October 11, 2015 at 12:51 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issue while enabling hbase plugin Hi Bosco! One more thing i am syncing users with ldap, not unix users. How can i apply permissions for unix users? can we sync users from ldap and unix both at a time? On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <[email protected]<mailto:[email protected]>> wrote: Hi Bosco! therse are plugins audits. it seems that hbase master and region server are being sync correctly. Export Date ( Pakistan Standard Time ) Service Name Plugin Id Plugin IP Http Response Code Status 10/12/2015 12:19:17 AM hadoopdev hdfs@vmubuntu2-VirtualBox-hadoopdev 192.168.23.126 200 Policies synced to plugin 10/11/2015 11:36:15 PM hbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin 10/11/2015 11:36:07 PM hbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin 10/11/2015 11:35:12 PM hbasedev hbaseMaster@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin 10/11/2015 11:34:12 PM hbasedev hbaseRegional@vmubuntu2-VirtualBox-hbasedev 192.168.23.126 200 Policies synced to plugin On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: Ok, this is good. It is getting denied at the HDFS level. >From the HDFS service in Ranger Admin, create a new policy for /hbase >(recursive) and give all permission to user “hbase”. Let me know how it goes. BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? You can check the Audit->Plugins to see whether both Hbase Master and RegionServers are connecting and also in the Audit->Access, filter by service type “Hbase”. Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]<mailto:[email protected]>> Date: Sunday, October 11, 2015 at 12:32 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issue while enabling hbase plugin Hi Bosco! Audits show that it denying hbase user for writing into hadoop. audits are as follow Service Policy ID Event Time User Name / Type Resource Name Access Type Result Access Enforcer Client IP Event Count -- 10/11/2015 11:11:26 PM hbase hadoopdev hdfs / READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:11 PM hbase hadoopdev hdfs /hbase/.tmp WRITE Denied hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:11 PM hbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001 READ Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:11 PM hbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledesc READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:11 PM hbase hadoopdev hdfs /hbase/data/hbase/meta/.tabledesc READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:10 PM hbase hadoopdev hdfs /hbase/hbase.id<http://hbase.id> READ Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:05:10 PM hbase hadoopdev hdfs /hbase/hbase.version READ Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:00:53 PM hbase hadoopdev hdfs / READ_EXECUTE Allowed hadoop-acl 127.0.0.1 1 -- 10/11/2015 11:00:40 PM hbase hadoopdev hdfs /test1 WRITE Denied hadoop-acl 127.0.0.1 1 -- 10/11/2015 09:41:25 PM hbase hadoopdev hdfs /hbase/.tmp WRITE Denied hadoop-acl 127.0.0.1 1 On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: Yes, you can run as root if you want to. In production it is a good practice to have separate users, so you can manage the access to the shell accordingly. Also, generally it is not recommended to run user applications at user “root”. A rogue application can cause unimaginable damage in your network. For your current problem, can you check the Ranger audits in the Ranger Admin page and see what is the user that is getting denied? Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]<mailto:[email protected]>> Date: Sunday, October 11, 2015 at 11:36 AM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issue while enabling hbase plugin Hi Bosco! Same issue after following your instruction. Is it possible to run all services using root user without conflicts? that will be easy to manage and understand at initial stage. Thanks On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]<mailto:[email protected]>> wrote: If you are using “root”, then you should provide the user “root” the full permission. You can do that by going to the Hbase repo and pick the default policy with “*,*,*” and add user “root” to it. Thanks Bosco From: Aneela Saleem Reply-To: <[email protected]<mailto:[email protected]>> Date: Sunday, October 11, 2015 at 11:18 AM To: <[email protected]<mailto:[email protected]>> Subject: Re: Issue while enabling hbase plugin Hi Ramesh! I started hbase services using hbase user but facing the same issue. On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected]<mailto:[email protected]>> wrote: Zookeeper will be user “zookeeper” and hdfs service like namenode, secondary name will be hdfs, respective core components of hadoop will have it owner user who will be running the services. Refer the documentation in apache. From: Aneela Saleem <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Sunday, October 11, 2015 at 10:51 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Issue while enabling hbase plugin Thanks Ramesh. But what about other services like zookeeper, hadoop etc On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani <[email protected]<mailto:[email protected]>> wrote: Aneela, Are you starting the hbase master / region server as “root” user, it should be “hbase” user who has the necessary permission to do so. So after enabling ranger hbase plugin start the services as “hbase” user Regards, Ramesh On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]<mailto:[email protected]>> wrote: Hi! I am trying to enable hbase plugin but getting following exception when i start hbase 2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] procedure.CreateTableProcedure: Failed rollback attempt step=CREATE_TABLE_ADD_TO_META table=hbase:namespace org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user ‘root',action: delete, tableName:hbase:meta, family:info, column: at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538) at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705) at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954) Any suggestion for me? thanks CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
