Can HBase tables be owned by a specific user in HDFS?

1
votes

I have an HBase cluster where each regionserver and the master are run by user hbaseuser.

When a client, john, connects and creates a table, the table directory and all files in HDFS are owned by hbaseuser (reasonably, because hbaseuser is actually running everything).

However, if john wants to delete an entire region from a table with managed regions, he will run HRegion.deleteRegion() which attempts to delete entire files from HDFS as user john which fails due to insufficient permissions. HRegion.deleteRegion() attempts to run the command directly on HDFS instead of through HBase.

Is there an HBase configuration (via configuration file or programmatically) which will allow tables created by a user to have those files in HDFS owned by that user?

E.g. currently anything created by john right now is:

>hadoop fs -lsr /hbase/testregion
drwxr-xr-x  - hbaseuser supergroup ... /hbase/testregion/<id>
-rw-r--r--  - hbaseuser supergroup ... /hbase/testregion/<id>/.regioninfo

but I would want to see:

>hadoop fs -lsr /hbase/testregion
drwxr-xr-x  - john supergroup ... /hbase/testregion/<id>
-rw-r--r--  - john supergroup ... /hbase/testregion/<id>/.regioninfo

Does any one know if such a configuration exists which would allow a user to delete files created for that user by HBase?

I am using hbase-0.90.6-cdh3u5.

1
hbasehdfs

1 Answers

0
votes

There isn't a good way to do what you want with HBase.

While there is some ACL support see the Access Control Section of the HBase guide. Unfortunately, that is only available in versions above 0.92, for cloudera that would be CDH4 and higher. The access control is also based on coprocessors which wouldn't be able to handle hdfs level access control.

I suppose you could try and change the directory permissions in HDFS after a table gets created, but as regions get open they will be owned by the user running the HBase process with default permissions.