All Products
Search
Document Center

E-MapReduce:Enable HBase ACL

Last Updated:Aug 15, 2023

This topic describes how to enable the HBase access control list (ACL) feature.

Background information

If HBase ACL is disabled, all accounts can access HBase clusters to perform all operations. For example, all accounts can disable tables, drop tables, or perform major compactions.

For clusters for which Kerberos authentication is disabled, users can use a forged identity to access cluster services even if HBase ACL is enabled. Therefore, we recommend that you create clusters with Kerberos authentication enabled to ensure high security. For more information, see Overview.

Basic concepts

ACL refers to the process of granting operation permissions on resources in a specific scope to an entity.

The following tables describe the basic concepts in HBase.

  • Resources in a specific scope

    Permission

    Description

    Superuser

    A superuser account can perform all operations. By default, the account that is used to run HBase is the superuser account. To add a superuser account, configure the hbase.superuser parameter in the hbase-site.xml file.

    Global

    Admin permissions on all tables in a cluster.

    Namespace

    Access control at the namespace level.

    Table

    Access control at the table level.

    ColumnFamily

    Access control at the column family level.

    Cell

    Access control at the cell level.

  • Operation permissions

    Permission

    Description

    Read (R)

    Reads data from resources in a specific scope.

    Write (W)

    Writes data to resources in a specific scope.

    Execute (X)

    Executes coprocessors in a specific scope.

    Create (C)

    Creates or deletes tables in a specific scope.

    Admin (A)

    Performs cluster-related operations, such as balance or assignment, in a specific scope.

  • Entities

    Permission

    Description

    User

    Grants operation permissions to a user.

    Group

    Grants operation permissions to a user group.

Procedure

  1. Go to the hbase-site.xml tab.

    1. Log on to the EMR console and go to the EMR on ECS page.

    2. In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.

    3. On the EMR on ECS page, find the cluster for which you want to enable HBase ACL and click Services in the Actions column.

    4. On the Services tab, find the HBase service and click Configure.

    5. Click the hbase-site.xml tab.

  2. On the hbase-site.xml tab, add or modify the following configuration items.

    Key

    Value

    hbase.security.authorization

    true

    hbase.coprocessor.master.classes

    org.apache.hadoop.hbase.security.access.AccessController

    hbase.coprocessor.region.classes

    org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController

    hbase.coprocessor.regionserver.classes

    org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider

  3. Restart the HBase service.

    1. In the upper-right corner, choose More > Restart.

    2. In the dialog box that appears, configure the Execution Reason parameter and click OK.

    3. In the Confirm message, click OK.

  4. Use HBase ACL to manage permissions.

    • grant

      grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
      • The methods that are used to grant operation permissions to users and user groups are similar. The only difference between the methods is that you must specify an at sign (@) as the prefix of the name of a user group.

        grant 'test','R','tbl1' # Grant the Read permission on Table tbl1 to User test. 
        grant '@testgrp','R','tbl1' # Grant the Read permission on Table tbl1 to User Group testgrp.

      • You must specify an at sign (@) as the prefix of the name of a namespace.

        grant 'test','C','@ns_1' # Grant the Create permission on Namespace ns_1 to User test.

    • revoke

      revoke 'trafodion' # Revoke all permissions from User trafodion.

    • user_permission

      user_permission 'TABLE_A' # Query all permissions on Table TABLE_A.