edit-icon download-icon

HBase authorization

Last Updated: Mar 23, 2018

Without authorization, any account can perform any operations on the HBase cluster that includes disable table/drop table/major compact and so on.


For clusters without Kerberos authentication, users can forge identities to access to the cluster service even when HBase authorization is enabled. Therefore, we recommend that you create a cluster with high security mode (i.e. supporting Kerberos) as detailed in Kerberos Security Document.

1. Add configuration

In Configuration Management, choose HBase > Configuration > hbase-site > Custom Configuration in the HBase cluster.

Add the following parameters:

  1. <property>
  2. <name>hbase.security.authorization</name>
  3. <value>true</value>
  4. </property>
  5. <property>
  6. <name>hbase.coprocessor.master.classes</name>
  7. <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  8. </property>
  9. <property>
  10. <name>hbase.coprocessor.region.classes</name>
  11. <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
  12. </property>
  13. <property>
  14. <name>hbase.coprocessor.regionserver.classes</name>
  15. <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  16. </property>
2. Restart the HBase cluster

In the HBase cluster Configuration Management page, click HBase> Configuration > Operations > RESTART All Components.

3. Authorization (ACL)
3.1 Basic concepts

Authorization is for grant [operation permissions] of [resources in a certain scope] to [a certain entity].

In HBase, the preceding three concepts are:

  • Resources in a certain scope

    • Superuser

      A Superuser can perform any operations, and the account running HBase service is the Superuser by default. You can also add Superusers through configuring the value of hbase.superuser in hbase-site.xml.

    • Global

      Global Scope has Admin permissions of all tables in the cluster.

    • Namespace

      It has permission control in Namespace Scope.

    • Table

      It has permission control in Table Scope.

    • ColumnFamily

      It has permission control in ColumnFamily Scope.

    • Cell

      It has permission control in Cell Scope.

  • Operation permission

    • Read (R)

      Read data from resources in a certain Scope.

    • Write (W)

      Write data to resources in a certain Scope.

    • Execute (X)

      Execute co-processor in a certain Scope.

    • Create (C)

      Create/delete a table in a certain Scope.

    • Admin (A)

    Perform cluster related operations in a certain Scope, such as balance/assign.

  • A certain entity

    • User

      Authorize a user

    • Group

      Authorize a user group

3.2 Authorization command
  • grant

    1. grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]


    • The authorization methods for user/group are the same, and a prefix @ needs to be added for group.

      1. grant 'test','R','tbl1' #grant the read permission of the table tb11 to the user test.
      2. grant '@test','R','tbl1' #grant the read permission of the table tb11 to the user group test.
    • A prefix @ needs to be added for namespace.

      1. grant 'test 'C','@ns_1' #grant the create permission of the namespace @ns_1 to the user test.
  • revoke

  • user_permissions (view permissions)

Thank you! We've received your feedback.