Pivotal Knowledge Base

Follow

How to control user's access to HBASE

Environment

Product Version
Pivotal HD (PHD) 1.1.1
HBASE 0.94.8

Purpose

This article lists the steps which must be performed to control access to HBase. HBase versions above 92 support Access Control List (ACL) based protection of resources on a column family and/or table basis.

ACL based protection is not mean to prevent intercepting or eavesdropping attempts, if required to prevent such attempts, you must configure HBase for secured operation.

Resolution

Step 1: Stop HBASE services running in Pivotal HD cluster.

You can stop HBASE services in a number of ways if using Pivotal HD cluster deployed using Install & Configuration Manager (ICM). In this example, we have used Pivotal Command Center GUI to stop Hbase master and region-server services.

Note: You can also control the services using standard Linux utility.

service <service-name> start/stop/restart
- service hbase-master stop (On HBase-master node)
- service hbase-regionserver stop (On every HBase-regionserver node)

Step 2: Once the services are stopped, modify /etc/gphd/hbase/conf/hbase-site.xml on hbase master & region servers.

Add the below parameters to hbase-site.xml on all the Pivotal HD HBase master and region-server nodes.

<property> 
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property> <property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property> <property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>

Step 3: [Optional] If dedicated hbase client nodes are used, copy /etc/gphd/hbase/conf/hbase-site.xml created in step 2 to hbase-client nodes.

Note: It is better to keep all the *-site.xml in sync on the cluster, thus we can suggest copying the same hbase-site.xml to all the node. However, just for the record, only the below parameter is required on the hbase client nodes.

<property> 
<name>hbase.rpc.engine</name> 
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> 
</property>

Step 4: Start HBASE services

Note: Verify the services once you have started for any errors. However, all the services will start up if these services were earlier running and configured properly.

Step 5: Verify if ACL is now applicable with HBASE

Log on to HBASE shell as a standard user; for example, gpadmin user and attempt to create a table. Table creation activity must fail with an error like below:

[gpadmin@hdm1 ~]$ hbase shell
hbase(main):001:0> create 'test_acl', 'cf'
..skipping standard message..
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'gpadmin' (global, action=CREATE)
     at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:426)
    ..skipping..
     at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426) hbase(main):001:0> exit

Step 6: Log on as superuser HBASE and provide privileges to gpadmin user.

[gpadmin@hdm1 ~]$ sudo -u hbase hbase shell
hbase(main):001:0> grant 'gpadmin', 'RWCA'
..skipping standard messages..
0 row(s) in 0.9490 seconds 

Where RWCA stands for:

R - READ

W - WRITE

C - CREATE

A - ADMIN

You can assign the required privileges based as per the requirement. The above just illustrates and example.

Step 7: Test if gpadmin is now able to perform the allowed HBASE operations.

[gpadmin@hdm1 ~]$ hbase shell
hbase(main):001:0> create 'test', 'cf'
SLF4J: Class path contains multiple SLF4J bindings.
..skipping standard messages..
0 row(s) in 1.8680 seconds 

This process enables you to configure the environment successfully.

Additional Information

With PHD 1.1.0, the below jar's are not available, thus once the changes mentioned above are made, hbase-master or hbase-regionserver will not start. Please put the below binaries on hbase-master and hbase-regionserver node under the directory: /usr/lib/gphd/hbase

Please run the below binaries on hbase-master and hbase-regionserver node under the directory: /usr/lib/gphd/hbase

  • hbase-0.94.8-gphd-2.1.1.0-security.jar
  • hbase-0.94.8-gphd-2.1.1.0-security-tests.jar

Then change the symbolic link /usr/lib/gphd/hbase/hbase.jar to point to /usr/lib/gphd/hbase/hbase-0.94.8-gphd-2.1.1.0-security.jar

  • ln -s /usr/lib/gphd/hbase/hbase-0.94.8-gphd-2.1.1.0-security.jar /usr/lib/gphd/hbase/hbase.jar

Note: You can get the above jar by downloading PHD 1.1.1 binaries from emc.subscribenet.com. Otherwise, please create a service request at support.pivotal.io.

Reference:

Comments

Powered by Zendesk