This topic describes how to enable the HBase access control list (ACL) feature.
Background information
If HBase ACL is disabled, all accounts can access HBase clusters to perform all operations. For example, all accounts can disable tables, drop tables, or perform major compactions.
For clusters for which Kerberos authentication is disabled, users can use a forged identity to access cluster services even if HBase ACL is enabled. Therefore, we recommend that you create clusters with Kerberos authentication enabled to ensure high security. For more information, see Overview.
Basic concepts
ACL refers to the process of granting operation permissions on resources in a specific scope to an entity.
The following tables describe the basic concepts in HBase.
Resources in a specific scope
Permission
Description
Superuser
A superuser account can perform all operations. By default, the account that is used to run HBase is the superuser account. To add a superuser account, configure the hbase.superuser parameter in the hbase-site.xml file.
Global
Admin permissions on all tables in a cluster.
Namespace
Access control at the namespace level.
Table
Access control at the table level.
ColumnFamily
Access control at the column family level.
Cell
Access control at the cell level.
Operation permissions
Permission
Description
Read (R)
Reads data from resources in a specific scope.
Write (W)
Writes data to resources in a specific scope.
Execute (X)
Executes coprocessors in a specific scope.
Create (C)
Creates or deletes tables in a specific scope.
Admin (A)
Performs cluster-related operations, such as balance or assignment, in a specific scope.
Entities
Permission
Description
User
Grants operation permissions to a user.
Group
Grants operation permissions to a user group.
Procedure
Go to the hbase-site.xml tab.
Log on to the EMR console and go to the EMR on ECS page.
In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find the cluster for which you want to enable HBase ACL and click Services in the Actions column.
On the Services tab, find the HBase service and click Configure.
Click the hbase-site.xml tab.
On the hbase-site.xml tab, add or modify the following configuration items.
Key
Value
hbase.security.authorization
true
hbase.coprocessor.master.classes
org.apache.hadoop.hbase.security.access.AccessController
hbase.coprocessor.region.classes
org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController
hbase.coprocessor.regionserver.classes
org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider
Restart the HBase service.
In the upper-right corner, choose .
In the dialog box that appears, configure the Execution Reason parameter and click OK.
In the Confirm message, click OK.
Use HBase ACL to manage permissions.
grant
grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
The methods that are used to grant operation permissions to users and user groups are similar. The only difference between the methods is that you must specify an at sign (@) as the prefix of the name of a user group.
grant 'test','R','tbl1' # Grant the Read permission on Table tbl1 to User test. grant '@testgrp','R','tbl1' # Grant the Read permission on Table tbl1 to User Group testgrp.
You must specify an at sign (@) as the prefix of the name of a namespace.
grant 'test','C','@ns_1' # Grant the Create permission on Namespace ns_1 to User test.
revoke
revoke 'trafodion' # Revoke all permissions from User trafodion.
user_permission
user_permission 'TABLE_A' # Query all permissions on Table TABLE_A.