我们在Hortonworks环境中使用HBase作为我们的存储选择。我们有一个节点正在运行,如果一切正常,我们计划升级到多个节点。目前,我们使用Knox SSO登录服务。
要访问HBase中的数据,我们使用WebHBase api。通过Knox SSO登录工作正常。我们用来执行此操作的用户(“testuser”)具有在Ranger中配置的Hbase的完全访问权限。
但是,当我们穿过诺克斯并到达Hbase时出现了问题。不,我们得到用户“root”的例外。为什么在我们想用“testuser”获取数据时它会询问用户“root”?显然,我们可以让用户“root”并给它完全清除,但这是非常不受欢迎的。我们认为Ranger / Knox中的用户授权必须存在一些与服务有关的错误。
这是我们通过Knox网关访问webhbase API时获得的堆栈跟踪:
Forbidden org.apache.hadoop.hbase.security.AccessDeniedException:org.apache.hadoop.hbase.security.AccessDeniedException:用户'root'的权限不足,action:scannerOpen,tableName:testtable,family:r。 org.apache.range中的org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.authorizeAccess(RangerAuthorizationCoprocessor.java:511)org.apache.ranger.base中的org.apache.ranger.base.HanhorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:901) .gbase.RangerAuthorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:856)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost $ 50.call(RegionCoprocessorHost.java:1267)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost $ RegionOperation。调用(RegionCoprocessorHost.java:1638)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1712)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1687) org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1262)org.apache.hadoop.hbase.regionserver.RSRpcServices.scan (RSRpcServices.java:2279)org.apache.hadoop.hbase.protobuf.generated.ClientProtos $ ClientService $ 2.callBlockingMethod(ClientProtos.java:32295)at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer。 java:2127)org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:107)atg.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:133)org.apache java.lang.Thread.run中的.hadoop.hbase.ipc.RpcExecutor $ 1.run(RpcExecutor.java:108)(Thread.java:745)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)at java.lang.reflect.Constructor .newInstance(Constructor.java:423)org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106)org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:95)at org。位于org.apache.hadoop.hbase.client的org.apache.hadoop.hbase.client.ScannerCallable.openScanner(ScannerCallable.java:387)中的apache.hadoop.hbase.protobuf.ProtobufUtil.getRemoteException(ProtobufUtil.java:333)。 ScannerCallable.call(ScannerCallable.java:201)位于org.apache.hadoop.hbase.client.ScannerCallable.call(ScannerCallable.java:63)org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithoutRetries(RpcRetryingCaller.java: 200)在org.apache.hadoop.hbase.client.ScannerCall orW.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries上的org.apache.hadoop.hbase.client.ScannerCallableWithReplicas $ RetryingRPC.call(ScannerCallableWithReplicas.java:338)中的ableWithReplicas $ RetryingRPC.call(ScannerCallableWithReplicas.java:364) RpcRetryingCaller.java:126)在java.util的java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)的org.apache.hadoop.hbase.client.ResultBoundedCompletionService $ QueueingFuture.run(ResultBoundedCompletionService.java:65) .concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)at java.lang.Thread.run(Thread.java:745)引起:org.apache.hadoop.hbase.ipc.RemoteWithExtrasException(org.apache.hadoop) .hbase.security.AccessDeniedException):org.apache.hadoop.hbase.security.AccessDeniedException:用户'root'的权限不足,action:scannerOpen,tableName:rowphyste,family:r。 org.apache.range中的org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.authorizeAccess(RangerAuthorizationCoprocessor.java:511)org.apache.ranger.base中的org.apache.ranger.base.HanhorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:901) .gbase.RangerAuthorizationCoprocessor.preScannerOpen(RangerAuthorizationCoprocessor.java:856)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost $ 50.call(RegionCoprocessorHost.java:1267)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost $ RegionOperation。调用(RegionCoprocessorHost.java:1638)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1712)org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperationWithResult(RegionCoprocessorHost.java:1687) org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preScannerOpen(RegionCoprocessorHost.java:1262)org.apache.hadoop.hbase.regionserver.RSRpcServices.scan (RSRpcServices.java:2279)org.apache.hadoop.hbase.protobuf.generated.ClientProtos $ ClientService $ 2.callBlockingMethod(ClientProtos.java:32295)at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer。 java:2127)org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:107)atg.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:133)org.apache位于org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl。 java:1225)org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:213)org.apache.hadoop.hbase.ipc.AbstractRpcClient $ BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:287)at org .apache.hadoop.hbase.protobuf.generated.ClientProtos $ Clienting $ BlockingStub.scan(ClientProtos.java:32741)atg.apache.hadoop.hbase.client.ScannerCallable.openScanner(ScannerCallable.java:379)... 10更多
我们目前没有在Knox拓扑中进行用户映射(即主映射)。我的gateway-audit.log看起来像这样:
17/05/05 11:58:33 || aac40856-3c3f-46a5-8b90-970d54bc0a21 |审计| WEBHBASE |||| access | uri | / gateway / default / hbase / testdatabase / | unavailable |请求方法:GET 17 / 05/05 11:58:33 || aac40856-3c3f-46a5-8b90-970d54bc0a21 |审计| WEBHBASE |||| access | uri | / gateway / default / hbase / testdatabase / | success |响应状态:302 17 / 05/05 11:58:33 || 5737b75b-9082-44e5-9afd-9675e9c36c43 |审计| KNOXSSO |||| access | uri | / gateway / knoxsso / api / v1 / websso?originalUrl = mydomain / gateway / default / hbase / testdatabase /%2A |不可用|请求方法:GET 17/05/05 11:58:33 || 5737b75b-9082-44e5-9afd-9675e9c36c43 |审计| KNOXSSO | testuser |||身份验证| uri | / gateway / ?knoxsso / API / V1 / websso originalUrl = MYDOMAIN /网关/默认/ HBase的/ testdatabase / 2A%|成功| 17/05/05 11:58:33 || 5737b75b-9082-44e5-9afd-9675e9c36c43 |审计| KNOXSSO | testuser |||身份验证| uri | / gateway / knoxsso / api / v1 / websso?originalUrl = mydomain / gateway / default / hbase / testdatabase /%2A | success | Groups:[] 17/05/05 11:58:33 || 5737b75b-9082-44e5-9afd-9675e9c36c43 | audit | KNOXSSO | testuser ||| access | uri | / gateway / knoxsso / api / v1 / websso?originalUrl = mydomain / gateway / default / hbase / testdatabase /%2A | success |响应状态:303 17/05/05 11:58:33 || 53594522-40b6-4040- ad2e-07e71a8ae112 |审计| WEBHBASE |||| access | uri | / gateway / default / hbase / testdatabase / | unavailable |请求方法:GET 17/05/05 11:58:33 || 53594522-40b6-4040-ad2e -07e71a8ae112 | audit | WEBHBASE |||| dispatch | uri | mydomain:60080 / testdatabase /?user.name = testuser | unavailable | Request method:GET 17/05/05 11:58:33 || 53594522-40b6-4040 -ad2e-07e71a8ae112 | audit | WEBHBASE |||| dispatch | uri | mydomain:60080 / testdatabase /?user.name = testuser | success |响应状态:403 17/05/05 11:58:33 || 53594522-40b6 -4040-ad2e-07e71a8ae112 |审计| WEBHBASE ||||访问| URI | / G ateway / default / hbase / testdatabase / | success |响应状态:403
感谢您提供更多信息,在我看来,看看Knox看到'testuser'的审计日志
9675e9c36c43|audit|KNOXSSO|testuser|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=mydomain/gateway/default/hbase/testdatabase/%2A|success|Groups: [] 17/05/05 11:58:33 ||5737b75b-9082-44e5-9afd-
4040-ad2e-07e71a8ae112|audit|WEBHBASE||||dispatch|uri|mydomain:60080/testdatabase/?user.name=testuser|success|Response status: 403 17/05/05 11:58:33 ||53594522-40b6-4040-ad2e-
您可能需要检查hbase-site.xml文件以获取相关设置。这是一个讨论设置的link to Knox documentation。