ApsaraDB for HBase Performance-enhanced Edition provides simplified user authentication and Access Control List (ACL) management. You only need to configure the username and password for user authentication. The passwords are encrypted and stored in the server and are transmitted only for authentication. Even if the ciphertext is intercepted, the encrypted data cannot be decrypted or reused.

You can log on to the Cluster Management System to manage users. On the Users page, all the users of the current cluster are listed. After you purchase a cluster, the system creates an account that has all permissions on the cluster and you can manage the cluster by using this account. Both the username and password of this account are root. You can change the password of this account or delete it in the Cluster Management System.

Create a user

1. On the Users page, choose More > Create User.

2. In the dialog box that appears, enter the username and password, and click OK.

Notes:1. Passwords are stored in ciphertext on the ApsaraDB for HBase Performance-enhanced Edition server. After you create a new user, the password is not displayed. You are responsible for remembering your password. If you lose your password, you must change your password.2. A new user does not have any permissions. You must grant the required permissions to the user on the Permissions page. For more information, see Manage ACLs.

Change the password

1. Click Change Password on the Users page in the Cluster Management System.

2. In the dialog box that appears, enter the new password and click OK.

Delete users from a user group

1. Click Delete in the Actions column on the Users page in the Cluster Management System to delete the user.

Manage ACL permissions

Permission types

The server of ApsaraDB for HBase Performance-enhanced Edition can determine what a user can do based on the permissions of the user. For example, if User1 only has the read permission on the Table1, an error message is returned if User1 tries to write Table1 or read Table2. The following permission types are supported in ApsaraDB for HBase Performance-enhanced Edition:

WRITE permissions

The users with WRITE permissions can run statements such as PUT, BATCH, DELETE, INCREMENT, APPEND, and CHECKANDMUTATE to write tables.

READ permissions

The users with READ permissions can run statements such as GET, SCAN, and EXIST to read tables, or run the statements such as getTableDescriptor, listTables, and listNamespaceDescriptors to retrieve descriptors and namespaces of tables.

ADMIN permissions

The ADMIN permissions allow users to manage tables or data by using the Data Definition Language (DDL) statements such as createTable, enableTable, and disableTable. However, these permissions do not include the delete permissions on tables or data. The ADMIN permissions also allow users to manage namespaces by using the DDL statements such as createNamespace.

TRASH permissions

To avoid accidental operations in which tables may be deleted or cleared, only the users with the TRASH permissions can use the DDL statements such as truncateTable and deleteTable.

SYSTEM permissions

Only the users with SYSTEM permissions can run the COMPACT and FLUSH statements. In addition, if you want to use Big Datahub Service (BDS) to migrate and synchronize data, you must use the account with SYSTEM permissions.

Classified permissions

You can manage permissions at three levels: Global, Namespace, and Table. Only one of these permissions can take effect at a time. For example, if you grant the read and write permissions at Global level to User1, you can use User1 to read and write all tables of all namespaces. If you grant the read and write permissions of Namespace1 to User2, you can use User2 to read and write all tables of Namespace1. Note: Only the users with the ADMIN permissions at Global level can create and delete namespaces.

Permissions

Grant permissions to a user

You can grant permissions to a user on the Permissions page in the Cluster Management System. To grant the READ permission of a table to a user, follow these steps: 1. On the Permissions page, choose More > Grant Permission.

2. In the dialog box that appears, select a user, a namespace, a table, select the READ permission, and then click OK.

Revoke permissions

You can revoke permissions of a user in the Cluster Management System. Each user may have permissions at multiple levels. You can revoke permissions for a user. Follow these steps:

1. Go to the Permissions page which displays a list of permissions. Find the user for whom you want revoke permissions and click Revoke in the Actions column.

2. In the dialog box that appears, all the permissions on the current object (Global, Table, or Namespace) are listed. Select permissions to be revoked and click OK.

Enable or disable ACL

You can disable the user authentication and ACL management features. After you disable the ACL feature, the username and password are not required for subsequent access (such as access by using APIs, SQL, and non-Java methods). There are no limits on users to manage clusters. After you enable or disable ACL management, the settings take effect immediately. You do not need to restart the cluster. After you enable ACL management, you must provide a username and password to connect to the service. Otherwise, the client cannot be authenticated and an error message is returned. If a username and password are provided, the client can be authenticated and connected to the service. However, if the user tries to perform management operations outside of their permissions, they are disconnected from the service.