Hi,
For a client we're building a system that calls the HBase Java API from
within our own springboot app. The goal is to be able to audit and
authorize data access to the various user requests being made against HBase
(possibly down to column family level) using Ranger.
The solution is based on how this same process appears to work in e.g. Oozie
A snippet of the application code looks like this where doAsUser is the end
user's username:
UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUser,
UserGroupInformation.getLoginUser());
try {
ugi.doAs(new PriviledgedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
LOGGER.info("HBase put as user " + ugi.getShortUserName());
table.put(put);
return null;
}
});
...
When we run the application any user supplied in the doAsUser will
successfully write to HBase even if no policy is defined in Ranger for that
user. When I look in the audit logs it is the application service user that
is being recorded as making the writes.
I should note that the cluster is kerberized and we are on HDP2.3.
Does anyone know how to get this working for HBase?
If I look at the sample authorizer on
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
then I think our approach would work against the sample authorizer
described. Is the HBase plugin behaving differently?
Thanks in advance for any assistance with this problem.
--
*Christopher Gent*
--
*NOTICE AND DISCLAIMER*
This email (including attachments) is confidential. If you are not the
intended recipient, notify the sender immediately, delete this email from
your system and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United
Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales
with Company No 7904824
