If HBase authorization is not enabled, all accounts can access HBase clusters to perform any operation, such as disabling tables, dropping tables, or performing major compaction.
Go to the Configure tab for HBase
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the left-side navigation pane, choose .
- Click the Configure tab.
- In the Service Configuration section, click the hbase-site tab.
- Click Custom Configuration in the upper-right corner and configure the parameters listed in the following table.
Key Value hbase.security.authorization true hbase.coprocessor.master.classes org.apache.hadoop.hbase.security.access.AccessController hbase.coprocessor.region.classes org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController hbase.coprocessor.regionserver.classes org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider
Restart the HBase cluster
- In the upper-right corner of the page, choose .
- In the Cluster Activities dialog box, configure relevant parameters and click OK. In the Confirm message, click OK.Click History in the upper-right corner to view the task progress.
- Basic concepts
Authorization refers to the process of granting [operation permissions] on [resources in a scope] to [an entity].
The following tables describe the basic concepts in the HBase.
- Resources within a scope
Name Description Superuser A superuser can perform any operation. By default, the account that runs HBase is a superuser. You can set the hbase.superuser parameter in the hbase-site.xml file to add a superuser. Global Admin permission on all tables in a cluster. Namespace Access control at the namespace level. Table Access control at the table level. ColumnFamily Access control at the column family level. Cell Access control at the cell level.
- Operation permissions
Name Description Read (R) Reads data from resources in a specific scope. Write (W) Writes data to resources in a specific scope. Execute (X) Executes coprocessors in a specific scope. Create (C) Creates or deletes tables in a specific scope. Admin (A) Performs cluster-related operations, such as balance or assignment, in a specific scope.
Name Description User Authorizes a user. Group Authorizes a user group.
- Resources within a scope
- Authorization commands
grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
- The authorization methods for users and user groups are similar. The only difference
is that you must add an at sign (@) as the prefix of user group names.
grant 'test','R','tbl1' # Grant the Read permission on table tbl1 to user test. grant '@testgrp','R','tbl1' # Grant the Read permission on table tbl1 to user group testgrp.
- You must add an at sign (@) as the prefix of namespaces.
grant 'test','C','@ns_1' # Grant the Create permission on namespace ns_1 to user test.
- The authorization methods for users and user groups are similar. The only difference is that you must add an at sign (@) as the prefix of user group names.
revoke 'trafodion' # Revoke all permissions from user trafodion.
user_permission 'TABLE_A' # Query all permissions on table TABLE_A.