HBase
  1. HBase
  2. HBASE-6068

Secure HBase cluster : Client not able to call some admin APIs

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.92.1, 0.94.0, 0.95.2
    • Fix Version/s: 0.92.2, 0.94.1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
      But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
      Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].

      1. HBASE-6068-0.92.patch
        1 kB
        Matteo Bertozzi
      2. HBASE-6068-v3.patch
        1 kB
        Matteo Bertozzi
      3. HBASE-6068-v2.patch
        1 kB
        Matteo Bertozzi
      4. HBASE-6068-v1.patch
        1 kB
        Matteo Bertozzi
      5. HBASE-6068-v0.patch
        1 kB
        Matteo Bertozzi

        Issue Links

          Activity

          Hide
          Hudson added a comment -

          Integrated in HBase-0.92-security #109 (See https://builds.apache.org/job/HBase-0.92-security/109/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471)

          Result = SUCCESS
          stack :
          Files :

          • /hbase/branches/0.92/CHANGES.txt
          • /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-0.92-security #109 (See https://builds.apache.org/job/HBase-0.92-security/109/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471) Result = SUCCESS stack : Files : /hbase/branches/0.92/CHANGES.txt /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          Hudson added a comment -

          Integrated in HBase-0.94-security #33 (See https://builds.apache.org/job/HBase-0.94-security/33/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472)

          Result = FAILURE
          stack :
          Files :

          • /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-0.94-security #33 (See https://builds.apache.org/job/HBase-0.94-security/33/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472) Result = FAILURE stack : Files : /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          Hudson added a comment -

          Integrated in HBase-0.92 #435 (See https://builds.apache.org/job/HBase-0.92/435/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471)

          Result = SUCCESS
          stack :
          Files :

          • /hbase/branches/0.92/CHANGES.txt
          • /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-0.92 #435 (See https://builds.apache.org/job/HBase-0.92/435/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471) Result = SUCCESS stack : Files : /hbase/branches/0.92/CHANGES.txt /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          Hudson added a comment -

          Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #33 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/33/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456)

          Result = FAILURE
          stack :
          Files :

          • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #33 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/33/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456) Result = FAILURE stack : Files : /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          Hudson added a comment -

          Integrated in HBase-0.94 #236 (See https://builds.apache.org/job/HBase-0.94/236/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472)

          Result = SUCCESS
          stack :
          Files :

          • /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-0.94 #236 (See https://builds.apache.org/job/HBase-0.94/236/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472) Result = SUCCESS stack : Files : /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          Hudson added a comment -

          Integrated in HBase-TRUNK #2957 (See https://builds.apache.org/job/HBase-TRUNK/2957/)
          HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456)

          Result = FAILURE
          stack :
          Files :

          • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Show
          Hudson added a comment - Integrated in HBase-TRUNK #2957 (See https://builds.apache.org/job/HBase-TRUNK/2957/ ) HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456) Result = FAILURE stack : Files : /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
          Hide
          stack added a comment -

          Applied the 0.92 patch to 0.92 and 0.94 branches. Thanks Matteo.

          Show
          stack added a comment - Applied the 0.92 patch to 0.92 and 0.94 branches. Thanks Matteo.
          Hide
          Matteo Bertozzi added a comment -

          Attached patch for 0.92 that applies also on trunk

          Show
          Matteo Bertozzi added a comment - Attached patch for 0.92 that applies also on trunk
          Hide
          stack added a comment -

          Applied to trunk. Doesn't apply to 0.94. Want to make a patch for 0.94 and 0.92 Matteo? Thanks.

          Show
          stack added a comment - Applied to trunk. Doesn't apply to 0.94. Want to make a patch for 0.94 and 0.92 Matteo? Thanks.
          Hide
          Andrew Purtell added a comment -

          +1 on the latest patch. I'll open another JIRA on the question of should we tighten up client need for znodes anywhere.

          Show
          Andrew Purtell added a comment - +1 on the latest patch. I'll open another JIRA on the question of should we tighten up client need for znodes anywhere.
          Hide
          Matteo Bertozzi added a comment -

          any comments/thoughts on this patch?

          Show
          Matteo Bertozzi added a comment - any comments/thoughts on this patch?
          Hide
          Matteo Bertozzi added a comment -

          backupMasterAddressesZNode and rsZNode are checked just for Children. This doesn't require auth on children too.

          Show
          Matteo Bertozzi added a comment - backupMasterAddressesZNode and rsZNode are checked just for Children. This doesn't require auth on children too.
          Hide
          Matteo Bertozzi added a comment -

          rebase after trunk modularization HBASE-4336

          Show
          Matteo Bertozzi added a comment - rebase after trunk modularization HBASE-4336
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12529764/HBASE-6068-v1.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.hbase.coprocessor.TestRegionServerCoprocessorExceptionWithAbort

          Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12529764/HBASE-6068-v1.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.hbase.coprocessor.TestRegionServerCoprocessorExceptionWithAbort Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//console This message is automatically generated.
          Hide
          Matteo Bertozzi added a comment -

          Missed one in the list, hbase shell call Zookeeper directly on zk_dump command
          zk_dump -> listChildrenNoWatch() /hbase/backup-masters/*

          Show
          Matteo Bertozzi added a comment - Missed one in the list, hbase shell call Zookeeper directly on zk_dump command zk_dump -> listChildrenNoWatch() /hbase/backup-masters/*
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12529753/HBASE-6068-v0.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12529753/HBASE-6068-v0.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12529749/HBASE-6068-v0.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 hadoop23. The patch compiles against the hadoop 0.23.x profile.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
          Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12529749/HBASE-6068-v0.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop23. The patch compiles against the hadoop 0.23.x profile. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//console This message is automatically generated.
          Hide
          ramkrishna.s.vasudevan added a comment -

          @Matteo
          Thanks for bringing out similar cases that deals with ZK.

          Show
          ramkrishna.s.vasudevan added a comment - @Matteo Thanks for bringing out similar cases that deals with ZK.
          Hide
          Matteo Bertozzi added a comment -

          HBaseAdmin.checkHBaseAvailable() -> exists() /hbase
          ZKTable.populateTableStates() -> listChildrenNoWatch() /hbase/table/* znodes
          ZKTable.getTableState() -> getData() /hbase/table/<table name>
          HConnectionManager.getCurrentNrHRS() -> getNumberOfChildren() -> /hbase/rs/

          Show
          Matteo Bertozzi added a comment - HBaseAdmin.checkHBaseAvailable() -> exists() /hbase ZKTable.populateTableStates() -> listChildrenNoWatch() /hbase/table/* znodes ZKTable.getTableState() -> getData() /hbase/table/<table name> HConnectionManager.getCurrentNrHRS() -> getNumberOfChildren() -> /hbase/rs/
          Hide
          Matteo Bertozzi added a comment -

          Since certain znodes are accessed by the client directly they must be marked as readable by everyone.

          HBaseAdmin.checkHBaseAvailable() -> /hbase
          ZKTable.populateTableStates() -> /hbase/table/* znodes

          Show
          Matteo Bertozzi added a comment - Since certain znodes are accessed by the client directly they must be marked as readable by everyone. HBaseAdmin.checkHBaseAvailable() -> /hbase ZKTable.populateTableStates() -> /hbase/table/* znodes
          Hide
          Matteo Bertozzi added a comment -

          This is not related to acl coprocessor, global permission or table permission.
          For non rootServer/maserAddress/clusterId zknodes ZKUtil.createACL()create acl for CREATOR_ALL_ACL... but the call to zookeeper is done by hbase and not by the current user.

          So the owner of zookeeper node is "hbase" user and not the current user as checked in the acl coprocessor.

          Show
          Matteo Bertozzi added a comment - This is not related to acl coprocessor, global permission or table permission. For non rootServer/maserAddress/clusterId zknodes ZKUtil.createACL()create acl for CREATOR_ALL_ACL... but the call to zookeeper is done by hbase and not by the current user. So the owner of zookeeper node is "hbase" user and not the current user as checked in the acl coprocessor.
          Hide
          Laxman added a comment -

          Filed a separate JIRA for #2.

          Show
          Laxman added a comment - Filed a separate JIRA for #2.
          Hide
          Laxman added a comment -

          #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061.

          Gone through the HBASE-6061 patch. It addresses a different problem. We actually need to check for table permissions instead of global permissions here.

          +  private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
          +      byte[] tableName) throws IOException {
          +    if (isActiveUserTableOwner(e, tableName)) {
          +      requirePermission(Permission.Action.CREATE);
          +    } else {
          +      requirePermission(Permission.Action.ADMIN);
          +    }
          +  }
          

          I think this needs to be handled as separate jira.

          Show
          Laxman added a comment - #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061 . Gone through the HBASE-6061 patch. It addresses a different problem. We actually need to check for table permissions instead of global permissions here. + private void requireTableAdminPermission(MasterCoprocessorEnvironment e, + byte [] tableName) throws IOException { + if (isActiveUserTableOwner(e, tableName)) { + requirePermission(Permission.Action.CREATE); + } else { + requirePermission(Permission.Action.ADMIN); + } + } I think this needs to be handled as separate jira.
          Hide
          Laxman added a comment -

          #1 & #2 refers to the issues in my previous comment.

          #1 is due to restricted access to znodes. To fix this we may need some design changes in handling znodes.

          #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061.

          Show
          Laxman added a comment - #1 & #2 refers to the issues in my previous comment. #1 is due to restricted access to znodes. To fix this we may need some design changes in handling znodes. #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061 .
          Hide
          Laxman added a comment -

          Just tried out these apis from Java client in our secure cluster.

          Scenario:

          • Create a table 'test' and grant admin 'A' permission to 'testuser'
          • Try the admin operations (isTableEnabled, isTableDisabled, enableTable, disableTable) from java client

          There are actually two issues.

          1) isTableEnabled & isTableDisabled - Failed on client with the following error (ZK No Auth) as mentioned in this issue.

          12/05/22 17:44:49 WARN zookeeper.ZKUtil: hconnection-0x3377326f2010023 Unable to get data of znode /hbase/table/test
          org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/table/test
          at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
          at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
          at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1131)
          at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.java:264)
          at org.apache.hadoop.hbase.zookeeper.ZKUtil.getData(ZKUtil.java:467)
          at org.apache.hadoop.hbase.zookeeper.ZKTable.getTableState(ZKTable.java:109)
          at org.apache.hadoop.hbase.zookeeper.ZKTable.isEnabledTable(ZKTable.java:283)
          at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.testTableOnlineState(HConnectionManager.java:776)
          at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.isTableEnabled(HConnectionManager.java:729)
          at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:873)
          at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:864)
          

          2) enableTable & disableTable - Failed on master with following error (HBase - access denied).

          Exception in thread "main" org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'testuser' (global, action=ADMIN)
          	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:368)
          	at org.apache.hadoop.hbase.security.access.AccessController.preDisableTable(AccessController.java:578)
          	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preDisableTable(MasterCoprocessorHost.java:351)
          	at org.apache.hadoop.hbase.master.HMaster.disableTable(HMaster.java:1220)
          	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          	at java.lang.reflect.Method.invoke(Method.java:597)
          	at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:372)
          	at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1376)
          	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
          	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
          	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
          	at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:90)
          	at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:79)
          	at org.apache.hadoop.hbase.client.HBaseAdmin.disableTableAsync(HBaseAdmin.java:763)
          	at org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(HBaseAdmin.java:786)
          
          Show
          Laxman added a comment - Just tried out these apis from Java client in our secure cluster. Scenario: Create a table 'test' and grant admin 'A' permission to 'testuser' Try the admin operations (isTableEnabled, isTableDisabled, enableTable, disableTable) from java client There are actually two issues. 1) isTableEnabled & isTableDisabled - Failed on client with the following error (ZK No Auth) as mentioned in this issue. 12/05/22 17:44:49 WARN zookeeper.ZKUtil: hconnection-0x3377326f2010023 Unable to get data of znode /hbase/table/test org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/table/test at org.apache.zookeeper.KeeperException.create(KeeperException.java:113) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1131) at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.java:264) at org.apache.hadoop.hbase.zookeeper.ZKUtil.getData(ZKUtil.java:467) at org.apache.hadoop.hbase.zookeeper.ZKTable.getTableState(ZKTable.java:109) at org.apache.hadoop.hbase.zookeeper.ZKTable.isEnabledTable(ZKTable.java:283) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.testTableOnlineState(HConnectionManager.java:776) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.isTableEnabled(HConnectionManager.java:729) at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:873) at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:864) 2) enableTable & disableTable - Failed on master with following error (HBase - access denied). Exception in thread "main" org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'testuser' (global, action=ADMIN) at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:368) at org.apache.hadoop.hbase.security.access.AccessController.preDisableTable(AccessController.java:578) at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preDisableTable(MasterCoprocessorHost.java:351) at org.apache.hadoop.hbase.master.HMaster.disableTable(HMaster.java:1220) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:372) at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1376) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:90) at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:79) at org.apache.hadoop.hbase.client.HBaseAdmin.disableTableAsync(HBaseAdmin.java:763) at org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(HBaseAdmin.java:786)
          Hide
          Anoop Sam John added a comment -

          HBaseAdmin
          isTableEnabled()
          isTableEnabled()
          disableTable()

          These APIs will have the problem. All these making a call to HConnectionManagerImpl.testTableOnlineState(byte [] tableName, boolean online), which in turn try to read from ZK

          Will read the path /hbase/table/<tabName> for which there is no global read permission

          Show
          Anoop Sam John added a comment - HBaseAdmin isTableEnabled() isTableEnabled() disableTable() These APIs will have the problem. All these making a call to HConnectionManagerImpl.testTableOnlineState(byte [] tableName, boolean online), which in turn try to read from ZK Will read the path /hbase/table/<tabName> for which there is no global read permission

            People

            • Assignee:
              Matteo Bertozzi
              Reporter:
              Anoop Sam John
            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development