Thanks for the advise. The audit log record looks like this (somewhat
redacted):
{"repoType":2,"repo":"dev_hbase","reqUser":"<service_user>","evtTime":"2015-12-17
12:12:59.040","access":"put","resource":"<namespace>:<table>/d/o","resType":"column","action":"write","result":"1","policy":3,"enforcer":"ranger-acl","cliIP":"<0.0.0.0>,"agentHost":"<fqdn>,"logType":"RangerAudit","id":"<biglongid>,"seq_num":95,"event_count":1,"event_dur_ms":1}
Not sure that helps much though. I'll try enabling debug on the hbase
plugin and see if that shows more closely what's going on.
--
Chris
On 17 December 2015 at 20:51, Madhan Neethiraj <[email protected]> wrote:
> Chris,
>
> >> When we run the application any user supplied in the doAsUser will
> successfully write to HBase even if no policy is defined in Ranger for that
> user. When I look in the audit logs it is the application service user that
> is being recorded as making the writes.
>
> Details in audit log should help understand the behavior. Can you please
> send the contents of the audit record, for the accesses made from the Java
> API? I am looking for details like: resource-accessed, access-type,
> username, ID of the policy that allowed the access..
>
> Thanks,
> Madhan
>
> From: Don Bosco Durai <[email protected]>
> Reply-To: "[email protected]" <
> [email protected]>
> Date: Thursday, December 17, 2015 at 11:22 AM
> To: "[email protected]" <[email protected]>
> Subject: Re: doAs() with Ranger HBase plugin
>
> Chris
>
> Ranger plugin uses the same user/group made available by the component. So
> in your case, Hbase is getting the service user, which I assume is you
> “springboot” app user.
>
> You might want to do couple of things:
>
> 1. Check Hbase logs to see if there are any errors (like impersonation
> not allowed for your service user)
> 2. Make sure your service user is allowed to act like proxy user?
>
> Core-site.xml for hbase:
>
> <property>
>
> <name>hadoop.proxyuser.oozie.groups</name>
>
> <value>*</value>
>
> </property>
>
>
> <property>
>
> <name>hadoop.proxyuser.oozie.hosts</name>
>
> <value>*</value>
>
> </property>
>
> Bosco
>
>
> From: Chris Gent <[email protected]>
> Reply-To: <[email protected]>
> Date: Thursday, December 17, 2015 at 5:46 AM
> To: <[email protected]>
> Subject: doAs() with Ranger HBase plugin
>
>
> Hi,
>
> For a client we're building a system that calls the HBase Java API from
> within our own springboot app. The goal is to be able to audit and
> authorize data access to the various user requests being made against HBase
> (possibly down to column family level) using Ranger.
>
> The solution is based on how this same process appears to work in e.g.
> Oozie
>
> A snippet of the application code looks like this where doAsUser is the
> end user's username:
>
>
> UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUser,
> UserGroupInformation.getLoginUser());
>
> try {
> ugi.doAs(new PriviledgedExceptionAction<Void>() {
> @Override
> public Void run() throws Exception {
> LOGGER.info("HBase put as user " + ugi.getShortUserName());
> table.put(put);
> return null;
> }
> });
>
> ...
>
>
>
> When we run the application any user supplied in the doAsUser will
> successfully write to HBase even if no policy is defined in Ranger for that
> user. When I look in the audit logs it is the application service user that
> is being recorded as making the writes.
>
> I should note that the cluster is kerberized and we are on HDP2.3.
>
> Does anyone know how to get this working for HBase?
>
> If I look at the sample authorizer on
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
> then I think our approach would work against the sample authorizer
> described. Is the HBase plugin behaving differently?
>
> Thanks in advance for any assistance with this problem.
>
>
> --
> *Christopher Gent*
>
>
> *NOTICE AND DISCLAIMER*
>
> This email (including attachments) is confidential. If you are not the
> intended recipient, notify the sender immediately, delete this email from
> your system and do not disclose or use for any purpose.
>
> Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United
> Kingdom
> Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
> Kingdom
> Big Data Partnership Limited is a company registered in England & Wales
> with Company No 7904824
>
>
--
*Christopher Gent*
*Managing Consultant*
Big Data Partnership
M: 07795 210205
E: [email protected]
*NOTICE AND DISCLAIMER*
This email (including attachments) is confidential. If you are not the
intended recipient, notify the sender immediately, delete this email from
your system and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United
Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales
with Company No 7904824
--
*NOTICE AND DISCLAIMER*
This email (including attachments) is confidential. If you are not the
intended recipient, notify the sender immediately, delete this email from
your system and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United
Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales
with Company No 7904824
