Pivotal Knowledge Base

Follow

HBase SQL statement fails with Insufficient permissions for user

This article will list quick steps to get started with a hbase cluster after securing it or enabling simple access !!

After securing or configuring simple access to an hbase cluster, if user has not be given appropriate privileges, hbase commands will fail with an error "Insufficient permissions for user". It is an expected behavior.

Symptom: 

base(main):001:0> create 'pivotal','cf1' 
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'gpadmin' (global, action=CREATE)
        at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:426)
        at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:563)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preCreateTable(MasterCoprocessorHost.java:98)
        at org.apache.hadoop.hbase.master.HMaster.createTable(HMaster.java:1315)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308)
        at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426)

Solution:

- Once the cluster has been secured, a user has to authenticate itself to kerberos by doing a kinit. By default, hbase is a superuser who was full access and can be used to grant privileges to other users. Since, you have already secured the cluster, use hbase keytab file to perform a kinit. 

[root@hdm3 keytab]# sudo -u hbase kinit -kt hbase.service.keytab hbase/hdm3.pivotal.com@PIVOTAL.COM

Now, after successful kinit, you can login to hbase shell and grant privileges to other users.

[root@sjc1ibdhdm3 keytab]# sudo -u hbase hbase shell
hbase(main):002:0> grant  'gpadmin', 'RWCA'
0 row(s) in 3.5870 seconds

hbase(main):003:0> quit

- In case, only simple access to HBase is enabled, you will need to grant the required priviliges only. kinit is not required.

Done !! You, now have a superuser gpadmin who can be used to administer the hbase cluster.

Miscellaneous:

Comments

Powered by Zendesk