ATLAS-344 Document HBase permissions for secure cluster (tbeerbower via shwethags)

238ca11c · Shwetha GS · c9176273 · 238ca11c · 238ca11c · 238ca11c
Commit 238ca11c authored Dec 01, 2015 by Shwetha GS
Showing with 17 additions and 1 deletion

Configuration.twiki docs/src/site/twiki/Configuration.twiki +13 -0

index.twiki docs/src/site/twiki/index.twiki +1 -1

security.twiki docs/src/site/twiki/security.twiki +2 -0

release-log.txt release-log.txt +1 -0

No files found.
--- a/docs/src/site/twiki/Configuration.twiki
+++ b/docs/src/site/twiki/Configuration.twiki
@@ -45,6 +45,19 @@ Advanced configuration
 # If you are planning to use any of the configs mentioned below, they need to be prefixed with "atlas.graph." to take effect in ATLAS
 Refer http://s3.thinkaurelius.com/docs/titan/0.5.4/titan-config-ref.html#_storage_hbase

+Permissions
+
+When Atlas is configured with HBase as the storage backend the graph db (titan) needs sufficient user permissions to be able to create and access an HBase table.  In a secure cluster it may be necessary to grant permissions to the 'atlas' user for the 'titan' table.
+
+With Ranger, a policy can be configured for 'titan'.
+
+Without Ranger, HBase shell can be used to set the permissions.
+
+<verbatim>
+   su hbase
+   kinit -k -t <hbase keytab> <hbase principal>
+   echo "grant 'atlas', 'RWXCA', 'titan'" | hbase shell
+</verbatim>

 ---++++ Graph Search Index
 This section sets up the graph db - titan - to use an search indexing system. The example

--- a/docs/src/site/twiki/index.twiki
+++ b/docs/src/site/twiki/index.twiki
@@ -41,7 +41,7 @@ allows integration with the whole enterprise data ecosystem.
   * [[TypeSystem][Type System]]
   * [[Repository][Metadata Repository]]
   * [[Search][Search]]
-   * [[security][security]]
+   * [[security][Security]]
   * [[Configuration][Configuration]]
   * Notification
      * [[Notification-Entity][Entity Notification]]

--- a/docs/src/site/twiki/security.twiki
+++ b/docs/src/site/twiki/security.twiki
@@ -42,6 +42,8 @@ The properties for configuring service authentication are:
   * <code>atlas.authentication.keytab</code> - the path to the keytab file.
   * <code>atlas.authentication.principal</code> - the principal to use for authenticating to the KDC.  The principal is generally of the form "user/host@realm".  You may use the '_HOST' token for the hostname and the local hostname will be substituted in by the runtime (e.g. "Atlas/_HOST@EXAMPLE.COM").

+Note that when Atlas is configured with HBase as the storage backend in a secure cluster, the graph db (titan) needs sufficient user permissions to be able to create and access an HBase table.  To grant the appropriate permissions see [[Configuration][Graph persistence engine - Hbase]].
+
 ---+++ SPNEGO-based HTTP Authentication

 HTTP access to the Atlas platform can be secured by enabling the platform's SPNEGO support.  There are currently two supported authentication mechanisms:

--- a/release-log.txt
+++ b/release-log.txt
@@ -9,6 +9,7 @@ ATLAS-54 Rename configs in hive hook (shwethags)
 ATLAS-3 Mixed Index creation fails with Date types (sumasai via shwethags)

 ALL CHANGES:
+ATLAS-344 Document HBase permissions for secure cluster (tbeerbower via shwethags)
 ATLAS-335 Kerberized cluster: Atlas fails to come up with hbase as backend (sumasai via shwethags)
 ATLAS-333 atlas_stop.py – script must delete “atlas.pid” file (ndjouhr via sumasai)
 ATLAS-220 Gets on Enum attribute should return EnumValue(yhemanth via sumasai)