On the ACL Control page, you can manage user permissions. You can grant permissions to a user or revoke one or more permissions from a user.
Permission types and levels
|WRITE permissions||The users with WRITE permissions can perform write operations on Lindorm tables, such as Put, Batch, Delete, Increment, Append, and CheckAndMutate.|
|READ permissions||The users with READ permissions can perform read operations on Lindorm tables, such as Get, Scan, and exist. These users can perform operations such as getTableDescriptor, listTables, and listNamespaceDescriptors to retrieve descriptors and namespaces of Lindorm tables.|
|ADMIN permissions||The ADMIN permissions allow users to manage tables or table data by executing the data definition language (DDL) statements such as createTable, enableTable, and disableTable. However, the ADMIN permissions do not include the delete permissions on tables or table data. The ADMIN permissions also allow users to manage namespaces by executing relevant DDL statements, such as createNamespace.|
|TRASH permissions||Only the users with the TRASH permissions can perform truncateTable and deleteTable DDL operations to prevent tables from being deleted and table data from being cleared by accidental operations.|
|SYSTEM permissions||Only the users with SYSTEM permissions can perform operations and maintenance (O&M) tasks, such as Compact and flush operations. In addition, if you want to use Lindorm Tunnel Service (LTS) to perform data migration or synchronization for ApsaraDB for HBase Performance-enhanced Edition, you must have the SYSTEM permissions.|
You can grant permissions to a specified user based on three permission levels: global, namespace, and table. An example is used in this topic to describe how to grant permissions. In the example, the read and write permissions on a table are granted to a specified user.
- Log on to the Lindorm Insight system. For more information, see Log on to Lindorm Insight.
- In the left-side navigation pane, choose .
- In the Table permission section on the ACL Control page, choose .
- In the grant table privilege dialog box, select an option from the user name drop-down list and select a namespace from the grant namespace drop-down list. Then, select a table from the grant table drop-down list and select an option for the grant privileges field. Click OK.
You can revoke permissions from a user on the ACL Control page in the Lindorm Insight system. Each user may have multiple levels of permissions. To revoke permissions from a user, find the user from the permission list that corresponds to the required permission level. Then, click the revoke button and select the permissions that you want to revoke. An example is used in this topic to describe how to revoke permissions. In the example, the read and write permissions on a table are revoked from a specified user.
- In the Table permission section on the ACL Control page, find the user whose permissions you want to revoke and click revoke.
- In the revoke privilege dialog box, select the permissions that you want to revoke and click OK.
Enable or disable the ACL feature
If you do not need to control access by using usernames and the ACL feature, you can disable the ACL feature. After you disable the ACL feature, no usernames and passwords are required for subsequent access requests, including user access by using APIs, SQL, and non-Java methods. In this case, no limits are imposed when you perform operations.
You can enable and disable the ACL feature without the need to restart your cluster. However, if you enable the ACL feature after you disable it, you must provide a username and a password to reconnect to the service. Otherwise, the client cannot be authenticated and an error message is returned. If the username and the password are provided, the client is authenticated as expected when the reconnection is established. However, if you attempt to perform unauthorized operations, the access is denied.