背景
当cdh集群启动kerberos认证后. 启动hbase是hmaster 死活起不来. 思考可能是认证问题. 使用getAcl 看hbase节点的权限发现hbase用户并没有可操作的权限. 需要给hbase增加权限. 主要出现
KeeperErrorCode = NoAuth for /hbase/flush-table-proc/acquired
等错误
流程
- 为zk增加一个超级用户
- https://www.jianshu.com/p/373d52375a65
- 使用超级用户为hbase目录赋权.
- https://docs.cloudera.com/runtime/7.2.1/zookeeper-security/topics/zookeeper-acls-hbase.html
- 重启hbase
对应权限赋权
Open for global read, write protected: world:anyone:r, sasl:hbase:cdrwa
setAcl -R /hbase/master world:anyone:r,sasl:hbase:cdrwa
setAcl -R /hbase/meta-region-server world:anyone:r,sasl:hbase:cdrwa
setAcl -R /hbase/hbaseid world:anyone:r,sasl:hbase:cdrwa
setAcl -R /hbase/table world:anyone:r,sasl:hbase:cdrwa
setAcl -R /hbase/rs world:anyone:r,sasl:hbase:cdrwa
No global read, r/w protected: sasl:hbase:cdrwa:
setAcl -R /hbase/acl sasl:hbase:cdrwa
setAcl -R /hbase/namespace sasl:hbase:cdrwa
setAcl -R /hbase/backup-masters sasl:hbase:cdrwa
setAcl -R /hbase/online-snapshot sasl:hbase:cdrwa
setAcl -R /hbase/draining sasl:hbase:cdrwa
setAcl -R /hbase/replication sasl:hbase:cdrwa
setAcl -R /hbase/region-in-transition sasl:hbase:cdrwa
setAcl -R /hbase/splitWAL sasl:hbase:cdrwa
setAcl -R /hbase/table-lock sasl:hbase:cdrwa
setAcl -R /hbase/recovering-regions sasl:hbase:cdrwa
setAcl -R /hbase/running sasl:hbase:cdrwa
setAcl -R /hbase/tokenauth sasl:hbase:cdrwa
setAcl -R /hbase/balancer sasl:hbase:cdrwa
setAcl -R /hbase/flush-table-proc sasl:hbase:cdrwa
setAcl -R /hbase/master-maintenance sasl:hbase:cdrwa
setAcl -R /hbase/rolllog-proc sasl:hbase:cdrwa
setAcl -R /hbase/rsgroup sasl:hbase:cdrwa
setAcl -R /hbase/switch sasl:hbase:cdrwa
- 注意cdh6的zk 客户端没有-R 参数. 需要下个高版本的zk
- 经过上面设置如果还是有问题, name只能
setAcl -R /hbase sasl:hbase:cdrwa
- 重启集群后发现权限都正常了.
参考
- https://www.pianshen.com/article/7625305608/