yes it was just because of permissions. I had to give full permissions on hbase directory in hdfs to allow root and hbase user to perform necessary operations on it.
On Thu, Oct 15, 2015 at 10:20 PM, Don Bosco Durai <[email protected]> wrote: > Based on your other email, it seems you get Hbase plugin installed > properly. Was it just the permission or you had to do anything more? > > Thanks > > Bosco > > > From: Don Bosco Durai > Reply-To: <[email protected]> > Date: Sunday, October 11, 2015 at 9:47 PM > > To: <[email protected]> > Subject: Re: Issue while enabling hbase plugin > > Seems this deny is for root. Can you add root also to the policy? Check > the audit and based on that you need to add appropriate permissions.. > > Thanks > > Bosco > > > From: Aneela Saleem > Reply-To: <[email protected]> > Date: Sunday, October 11, 2015 at 9:44 PM > To: <[email protected]> > Subject: Re: Issue while enabling hbase plugin > > Hi! > Same issue even after adding hbase.superuser property. > > Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions for user ‘root',action: put, tableName:hbase:meta, > family:info, column: regioninfo > at > org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538) > at > org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.prePut(RangerAuthorizationCoprocessor.java:989) > at > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$30.call(RegionCoprocessorHost.java:902) > at > org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673) > > On Mon, Oct 12, 2015 at 2:49 AM, Don Bosco Durai <[email protected]> wrote: > >> Can you make sure the policy has recursive ON? And also check the audit >> logs to see whether it is the same denied result. >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem >> Reply-To: <[email protected]> >> Date: Sunday, October 11, 2015 at 1:22 PM >> >> To: <[email protected]> >> Subject: Re: Issue while enabling hbase plugin >> >> Hi! >> Issue is not solved by adding permissions to the user hbase. >> >> On Mon, Oct 12, 2015 at 1:04 AM, Don Bosco Durai <[email protected]> >> wrote: >> >>> For now, the sync tool just synchronizes with one of the source. You >>> should be able to add the unix users manually. >>> >>> Log in to Ranger Admin and then Settings -> Users/Groups -> Add New User. >>> >>> You can add the user you want to. You can give any random password. It >>> is not used. Select “Role” as User. >>> >>> After this you should be able to use these users for giving permissions. >>> >>> Bosco >>> >>> >>> From: Aneela Saleem >>> Reply-To: <[email protected]> >>> Date: Sunday, October 11, 2015 at 12:51 PM >>> >>> To: <[email protected]> >>> Subject: Re: Issue while enabling hbase plugin >>> >>> Hi Bosco! >>> >>> One more thing i am syncing users with ldap, not unix users. How can i >>> apply permissions for unix users? can we sync users from ldap and unix both >>> at a time? >>> >>> On Mon, Oct 12, 2015 at 12:41 AM, Aneela Saleem <[email protected]> >>> wrote: >>> >>>> Hi Bosco! >>>> therse are plugins audits. it seems that hbase master and region server >>>> are being sync correctly. >>>> >>>> Export Date ( Pakistan Standard Time )Service NamePlugin IdPlugin IPHttp >>>> Response CodeStatus10/12/2015 12:19:17 AMhadoopdev >>>> [email protected] synced to >>>> plugin10/11/2015 11:36:15 PMhbasedev >>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >>>> synced to plugin10/11/2015 11:36:07 PMhbasedev >>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >>>> synced to plugin10/11/2015 11:35:12 PMhbasedev >>>> hbaseMaster@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >>>> synced to plugin10/11/2015 11:34:12 PMhbasedev >>>> hbaseRegional@vmubuntu2-VirtualBox-hbasedev192.168.23.126200Policies >>>> synced to plugin >>>> >>>> On Mon, Oct 12, 2015 at 12:36 AM, Don Bosco Durai <[email protected]> >>>> wrote: >>>> >>>>> Ok, this is good. It is getting denied at the HDFS level. >>>>> >>>>> From the HDFS service in Ranger Admin, create a new policy for /hbase >>>>> (recursive) and give all permission to user “hbase”. >>>>> >>>>> Let me know how it goes. >>>>> >>>>> BTW, I don’t see any Hbase audit logs. Is Hbase configured properly? >>>>> You can check the Audit->Plugins to see whether both Hbase Master and >>>>> RegionServers are connecting and also in the Audit->Access, filter by >>>>> service type “Hbase”. >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Aneela Saleem >>>>> Reply-To: <[email protected]> >>>>> Date: Sunday, October 11, 2015 at 12:32 PM >>>>> >>>>> To: <[email protected]> >>>>> Subject: Re: Issue while enabling hbase plugin >>>>> >>>>> Hi Bosco! >>>>> >>>>> Audits show that it denying hbase user for writing into hadoop. audits >>>>> are as follow >>>>> >>>>> ServicePolicy IDEvent TimeUserName / TypeResource NameAccess Type >>>>> ResultAccess EnforcerClient IPEvent Count--10/11/2015 11:11:26 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11--10/11/2015 11:05:11 PM >>>>> hbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/data/hbase/meta/.tabledesc/.tableinfo.0000000001READAllowed >>>>> hadoop-acl127.0.0.11--10/11/2015 11:05:11 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl >>>>> 127.0.0.11--10/11/2015 11:05:11 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/data/hbase/meta/.tabledescREAD_EXECUTEAllowedhadoop-acl >>>>> 127.0.0.11--10/11/2015 11:05:10 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/hbase.idREADAllowedhadoop-acl127.0.0.11--10/11/2015 11:05:10 PM >>>>> hbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/hbase.versionREADAllowedhadoop-acl127.0.0.11--10/11/2015 >>>>> 11:00:53 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /READ_EXECUTEAllowedhadoop-acl127.0.0.11--10/11/2015 11:00:40 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /test1WRITEDeniedhadoop-acl127.0.0.11--10/11/2015 09:41:25 PMhbase >>>>> hadoopdev >>>>> hdfs >>>>> /hbase/.tmpWRITEDeniedhadoop-acl127.0.0.11 >>>>> >>>>> >>>>> >>>>> On Sun, Oct 11, 2015 at 11:39 PM, Don Bosco Durai <[email protected]> >>>>> wrote: >>>>> >>>>>> Yes, you can run as root if you want to. In production it is a good >>>>>> practice to have separate users, so you can manage the access to the >>>>>> shell >>>>>> accordingly. Also, generally it is not recommended to run user >>>>>> applications >>>>>> at user “root”. A rogue application can cause unimaginable damage in your >>>>>> network. >>>>>> >>>>>> For your current problem, can you check the Ranger audits in the >>>>>> Ranger Admin page and see what is the user that is getting denied? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Bosco >>>>>> >>>>>> >>>>>> From: Aneela Saleem >>>>>> Reply-To: <[email protected]> >>>>>> Date: Sunday, October 11, 2015 at 11:36 AM >>>>>> >>>>>> To: <[email protected]> >>>>>> Subject: Re: Issue while enabling hbase plugin >>>>>> >>>>>> Hi Bosco! >>>>>> >>>>>> Same issue after following your instruction. Is it possible to run >>>>>> all services using root user without conflicts? that will be easy to >>>>>> manage >>>>>> and understand at initial stage. >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Sun, Oct 11, 2015 at 11:25 PM, Don Bosco Durai <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> If you are using “root”, then you should provide the user “root” the >>>>>>> full permission. You can do that by going to the Hbase repo and pick the >>>>>>> default policy with “*,*,*” and add user “root” to it. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Bosco >>>>>>> >>>>>>> >>>>>>> From: Aneela Saleem >>>>>>> Reply-To: <[email protected]> >>>>>>> Date: Sunday, October 11, 2015 at 11:18 AM >>>>>>> To: <[email protected]> >>>>>>> >>>>>>> Subject: Re: Issue while enabling hbase plugin >>>>>>> >>>>>>> Hi Ramesh! >>>>>>> >>>>>>> I started hbase services using hbase user but facing the same issue. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sun, Oct 11, 2015 at 11:09 PM, Ramesh Mani <[email protected] >>>>>>> > wrote: >>>>>>> >>>>>>>> Zookeeper will be user “zookeeper” and hdfs service like namenode, >>>>>>>> secondary name will be hdfs, respective core components of hadoop will >>>>>>>> have >>>>>>>> it owner user who will be running the services. Refer the >>>>>>>> documentation in >>>>>>>> apache. >>>>>>>> >>>>>>>> From: Aneela Saleem <[email protected]> >>>>>>>> Reply-To: "[email protected]" < >>>>>>>> [email protected]> >>>>>>>> Date: Sunday, October 11, 2015 at 10:51 AM >>>>>>>> To: "[email protected]" < >>>>>>>> [email protected]> >>>>>>>> Subject: Re: Issue while enabling hbase plugin >>>>>>>> >>>>>>>> Thanks Ramesh. >>>>>>>> >>>>>>>> But what about other services like zookeeper, hadoop etc >>>>>>>> >>>>>>>> On Sun, Oct 11, 2015 at 10:47 PM, Ramesh Mani < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Aneela, >>>>>>>>> >>>>>>>>> Are you starting the hbase master / region server as “root” user, >>>>>>>>> it should be “hbase” user who has the necessary permission to do so. >>>>>>>>> So >>>>>>>>> after enabling ranger hbase plugin start the services as “hbase” user >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Ramesh >>>>>>>>> >>>>>>>>> On Oct 11, 2015, at 7:40 AM, Aneela Saleem <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi! >>>>>>>>> >>>>>>>>> I am trying to enable hbase plugin but getting following exception >>>>>>>>> when i start hbase >>>>>>>>> >>>>>>>>> *2015-10-11 19:34:12,707 WARN [ProcedureExecutorThread-0] >>>>>>>>> procedure.CreateTableProcedure: Failed rollback attempt >>>>>>>>> step=CREATE_TABLE_ADD_TO_META table=hbase:namespace* >>>>>>>>> *org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: >>>>>>>>> Failed 1 action: >>>>>>>>> org.apache.hadoop.hbase.security.AccessDeniedException: >>>>>>>>> Insufficient permissions for user ‘root',action: delete, >>>>>>>>> tableName:hbase:meta, family:info, column:* >>>>>>>>> * at >>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.requirePermission(RangerAuthorizationCoprocessor.java:538)* >>>>>>>>> * at >>>>>>>>> org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.preDelete(RangerAuthorizationCoprocessor.java:766)* >>>>>>>>> * at >>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$33.call(RegionCoprocessorHost.java:958)* >>>>>>>>> * at >>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1673)* >>>>>>>>> * at >>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1748)* >>>>>>>>> * at >>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1705)* >>>>>>>>> * at >>>>>>>>> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preDelete(RegionCoprocessorHost.java:954)* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *Any suggestion for me?* >>>>>>>>> >>>>>>>>> *thanks* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> CONFIDENTIALITY NOTICE >>>>>>>>> NOTICE: This message is intended for the use of the individual or >>>>>>>>> entity to which it is addressed and may contain information that is >>>>>>>>> confidential, privileged and exempt from disclosure under applicable >>>>>>>>> law. >>>>>>>>> If the reader of this message is not the intended recipient, you are >>>>>>>>> hereby >>>>>>>>> notified that any printing, copying, dissemination, distribution, >>>>>>>>> disclosure or forwarding of this communication is strictly >>>>>>>>> prohibited. If >>>>>>>>> you have received this communication in error, please contact the >>>>>>>>> sender >>>>>>>>> immediately and delete it from your system. Thank You. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
