On the ACL Control page, you can manage user permissions. You can grant permissions to a user or revoke one or more permissions from a user.

Permission types and levels

In Lindorm clusters, servers determine whether each user can perform an operation based on the permissions of the user. Assume that user1 has only the read permission on Table1. In this case, if user1 attempts to perform write operations on Table1 or perform read and write operations on Table2, the access is denied and error messages are returned. The following table describes the types of Lindorm permissions.
Permission type Description
WRITE permissions The users with WRITE permissions can perform write operations on Lindorm tables, such as Put, Batch, Delete, Increment, Append, and CheckAndMutate.
READ permissions The users with READ permissions can perform read operations on Lindorm tables, such as Get, Scan, and exist. These users can perform operations such as getTableDescriptor, listTables, and listNamespaceDescriptors to retrieve descriptors and namespaces of Lindorm tables.
ADMIN permissions The ADMIN permissions allow users to manage tables or table data by executing the data definition language (DDL) statements such as createTable, enableTable, and disableTable. However, the ADMIN permissions do not include the delete permissions on tables or table data. The ADMIN permissions also allow users to manage namespaces by executing relevant DDL statements, such as createNamespace.
TRASH permissions Only the users with the TRASH permissions can perform truncateTable and deleteTable DDL operations to prevent tables from being deleted and table data from being cleared by accidental operations.
SYSTEM permissions Only the users with SYSTEM permissions can perform operations and maintenance (O&M) tasks, such as Compact and flush operations. In addition, if you want to use Lindorm Tunnel Service (LTS) to perform data migration or synchronization for ApsaraDB for HBase Performance-enhanced Edition, you must have the SYSTEM permissions.
Lindorm has three permission levels: global, namespace, and table. These three levels overlap with each other. For example, if you grant read and write permissions at the global level to user1, user1 can perform read and write operations on all the tables in all the namespaces. If you grant the read and write permissions on Namespace1 to user2, user2 can perform read and write operations on all the tables in Namespace1. This means that user2 can perform read and write operations on the newly created tables in Namespace1.
Note Only the users with the ADMIN permissions at global level can create and delete namespaces.

Grant permissions

You can grant permissions to a specified user based on three permission levels: global, namespace, and table. An example is used in this topic to describe how to grant permissions. In the example, the read and write permissions on a table are granted to a specified user.

  1. Log on to the Lindorm Insight system. For more information, see Log on to Lindorm Insight.
  2. In the left-side navigation pane, choose Data Management > ACL Control.
  3. In the Table permission section on the ACL Control page, choose More > grant privilege.grant table privilege
  4. In the grant table privilege dialog box, select an option from the user name drop-down list and select a namespace from the grant namespace drop-down list. Then, select a table from the grant table drop-down list and select an option for the grant privileges field. Click OK.grant table privilege

Revoke permissions

You can revoke permissions from a user on the ACL Control page in the Lindorm Insight system. Each user may have multiple levels of permissions. To revoke permissions from a user, find the user from the permission list that corresponds to the required permission level. Then, click the revoke button and select the permissions that you want to revoke. An example is used in this topic to describe how to revoke permissions. In the example, the read and write permissions on a table are revoked from a specified user.

  1. In the Table permission section on the ACL Control page, find the user whose permissions you want to revoke and click revoke.Revoke permissions
  2. In the revoke privilege dialog box, select the permissions that you want to revoke and click OK.revoke privilege

Enable or disable the ACL feature

If you do not need to control access by using usernames and the ACL feature, you can disable the ACL feature. After you disable the ACL feature, no usernames and passwords are required for subsequent access requests, including user access by using APIs, SQL, and non-Java methods. In this case, no limits are imposed when you perform operations.

You can enable and disable the ACL feature without the need to restart your cluster. However, if you enable the ACL feature after you disable it, you must provide a username and a password to reconnect to the service. Otherwise, the client cannot be authenticated and an error message is returned. If the username and the password are provided, the client is authenticated as expected when the reconnection is established. However, if you attempt to perform unauthorized operations, the access is denied.

ACL switch