If HBase authorization is not enabled, all accounts can access HBase clusters to perform any operation, such as disabling tables, dropping tables, or performing major compaction.
Background information
Go to the Configure tab for HBase
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the left-side navigation pane, choose .
- Click the Configure tab.
Configure parameters
Restart the HBase cluster
Authorization (ACL)
- Basic concepts
Authorization refers to the process of granting [operation permissions] on [resources in a scope] to [an entity].
The following tables describe the basic concepts in the HBase.
- Resources within a scope
Name Description Superuser A superuser can perform any operation. By default, the account that runs HBase is a superuser. You can set the hbase.superuser parameter in the hbase-site.xml file to add a superuser. Global Admin permission on all tables in a cluster. Namespace Access control at the namespace level. Table Access control at the table level. ColumnFamily Access control at the column family level. Cell Access control at the cell level. - Operation permissions
Name Description Read (R) Reads data from resources in a specific scope. Write (W) Writes data to resources in a specific scope. Execute (X) Executes coprocessors in a specific scope. Create (C) Creates or deletes tables in a specific scope. Admin (A) Performs cluster-related operations, such as balance or assignment, in a specific scope. - Entity
Name Description User Authorizes a user. Group Authorizes a user group.
- Resources within a scope
- Authorization commands
- grant
grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
- The authorization methods for users and user groups are similar. The only difference
is that you must add an at sign (@) as the prefix of user group names.
grant 'test','R','tbl1' # Grant the Read permission on table tbl1 to user test. grant '@testgrp','R','tbl1' # Grant the Read permission on table tbl1 to user group testgrp.
- You must add an at sign (@) as the prefix of namespaces.
grant 'test','C','@ns_1' # Grant the Create permission on namespace ns_1 to user test.
- The authorization methods for users and user groups are similar. The only difference
is that you must add an at sign (@) as the prefix of user group names.
- revoke
revoke 'trafodion' # Revoke all permissions from user trafodion.
- user_permission
user_permission 'TABLE_A' # Query all permissions on table TABLE_A.
- grant