Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-8829

Internal error 500 when creating a namespace does not have sufficient permissions

    Details

    • Rank:
      1|hzzwsn:

      Description

      It should return 403 Forbidden. In this case, the user that is impersonated does not have privileges to grant group access to the HBase namespace that it just created:

      create namespace sports principal alice/imptestranger18406-1000.dev.continuuity.net@CONTINUUITY.NET group-name deployers keytab-URI /etc/security/keytabs/alice.keytab
      Error: 500: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.security.AccessControlException: Permission denied.
      	at org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.grant(RangerAuthorizationCoprocessor.java:1163)
      ...
      

      Also, the response does not contain the actual problem, which is only in the CDAP master log:

      2017-02-26 00:59:55,959 - ERROR [dataset.executor-executor-82:c.c.c.d.u.h.DefaultHBase11DDLExecutor@75] - Error creating dataset 'dataset:sports.results': Error while granting [READ, WRITE] for table cdap_sports:results.partitions.d to user bob
      java.io.IOException: Error while granting [READ, WRITE] for table cdap_sports:results.partitions.d to user bob
      	at co.cask.cdap.data2.util.hbase.DefaultHBase11DDLExecutor.doGrantPermissions(DefaultHBase11DDLExecutor.java:75)
      

        Attachments

          Activity

            People

            • Assignee:
              rsinha Rohit Sinha
              Reporter:
              andreas Andreas Neumann
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: