HBase Authentication Issue

[Ramkumar KS]

Hi,

I have enabled Hbase authorization and I have created a user group which only has Read and Write Permission. 

I am trying to deploy the application which uses titan graph apis under the above mentioned user group and I am getting permission denied exception since titan is trying create column families. (The table , column families, property keys, index keys are created from a different user who has permission to alter table)

I tried to set "storage.hbase.skip-schema-check" to true and the application started to work but I continually get the warning as shown below

WARN  [2016-08-23 05:02:53,966] com.thinkaurelius.titan.diskstorage.hbase.HBaseStoreManager: Unexpected exception during getDeployment()

! Causing: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=user, scope=tablename, family=, action=CREATE)

! at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:425)

! at org.apache.hadoop.hbase.security.access.AccessController.preGetTableDescriptors(AccessController.java:2223)

! at org.apache.hadoop.hbase.master.MasterCoprocessorHost$63.call(MasterCoprocessorHost.java:750)

! at org.apache.hadoop.hbase.master.MasterCoprocessorHost.execOperation(MasterCoprocessorHost.java:906)

! at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preGetTableDescriptors(MasterCoprocessorHost.java:746)

! at org.apache.hadoop.hbase.master.HMaster.getTableDescriptors(HMaster.java:2589)

! at org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java:42241)

! at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2031)

! at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:108)

! at org.apache.hadoop.hbase.ipc.FifoRpcScheduler$1.run(FifoRpcScheduler.java:74)

! at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

! at java.util.concurrent.FutureTask.run(FutureTask.java:262)

! at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

! at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

! at java.lang.Thread.run(Thread.java:745)

Is there any way I can avoid these logs or Am I missing something in the configuration. 

I am using titan Hbase 0.5.2. backed by CDH 5.3.0 Hbase(Version 0.98.6). 

Regards,

Ramkumar

[Jason Plurad]

Hi Ramkumar,

What are your Titan-HBase configuration properties? Do you have the storage.username and storage.password set?

-- Jason

[Ramkumar KS]

Hi Jason,

We are using ldap based authentication. So the application automatically picks up the deployed user and I am able to create nodes and read as well. 

As mentioned in the problem statement, I have deployed the application under say "XYZ" user and "XYZ" user has only Read & Write Permission. The authorization is working properly. 

My issue is , though I have set "storage.hbase.skip-schema-check" to true, why is titan graph trying to create schema/column family?

Though the application is working, the log it dumps is very frequent and I am afraid this will affect the application performance and increased disk space consumption because of the log.

Please let me know if you need more information. Thanks for your reply.

Regards,

Ramkumar

[Jason Plurad]

Hi Ramkumar,

Do you have a nested stack trace that shows where that traces through the Titan code?

Looks like this line is the culprit:

https://github.com/thinkaurelius/titan/blob/0.5.2/titan-hbase-parent/titan-hbase-core/src/main/java/com/thinkaurelius/titan/diskstorage/hbase/HBaseStoreManager.java#L551

This check to test whether a table exists doesn't respect the skip-schema-check option. It still appears to be an issue in 1.0.0.

I'd recommend that you open up an issue on the GitHub tracker.


-- Jason