edit-icon download-icon

HBase authorization

Last Updated: Mar 23, 2018

Without authorization, any account can perform any operations on the HBase cluster that includes disable table/drop table/major compact and so on.

Note:

For clusters without Kerberos authentication, users can forge identities to access to the cluster service even when HBase authorization is enabled. Therefore, we recommend that you create a cluster with high security mode (i.e. supporting Kerberos) as detailed in Kerberos Security Document.

1. Add configuration

In Configuration Management, choose HBase > Configuration > hbase-site > Custom Configuration in the HBase cluster.

Add the following parameters:

  1. <property>
  2. <name>hbase.security.authorization</name>
  3. <value>true</value>
  4. </property>
  5. <property>
  6. <name>hbase.coprocessor.master.classes</name>
  7. <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  8. </property>
  9. <property>
  10. <name>hbase.coprocessor.region.classes</name>
  11. <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
  12. </property>
  13. <property>
  14. <name>hbase.coprocessor.regionserver.classes</name>
  15. <value>org.apache.hadoop.hbase.security.access.AccessController</value>
  16. </property>
2. Restart the HBase cluster

In the HBase cluster Configuration Management page, click HBase> Configuration > Operations > RESTART All Components.

3. Authorization (ACL)
3.1 Basic concepts

Authorization is for grant [operation permissions] of [resources in a certain scope] to [a certain entity].

In HBase, the preceding three concepts are:

  • Resources in a certain scope

    • Superuser

      A Superuser can perform any operations, and the account running HBase service is the Superuser by default. You can also add Superusers through configuring the value of hbase.superuser in hbase-site.xml.

    • Global

      Global Scope has Admin permissions of all tables in the cluster.

    • Namespace

      It has permission control in Namespace Scope.

    • Table

      It has permission control in Table Scope.

    • ColumnFamily

      It has permission control in ColumnFamily Scope.

    • Cell

      It has permission control in Cell Scope.

  • Operation permission

    • Read (R)

      Read data from resources in a certain Scope.

    • Write (W)

      Write data to resources in a certain Scope.

    • Execute (X)

      Execute co-processor in a certain Scope.

    • Create (C)

      Create/delete a table in a certain Scope.

    • Admin (A)

    Perform cluster related operations in a certain Scope, such as balance/assign.

  • A certain entity

    • User

      Authorize a user

    • Group

      Authorize a user group

3.2 Authorization command
  • grant

    1. grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]

    Note:

    • The authorization methods for user/group are the same, and a prefix @ needs to be added for group.

      1. grant 'test','R','tbl1' #grant the read permission of the table tb11 to the user test.
      2. grant '@test','R','tbl1' #grant the read permission of the table tb11 to the user group test.
    • A prefix @ needs to be added for namespace.

      1. grant 'test 'C','@ns_1' #grant the create permission of the namespace @ns_1 to the user test.
  • revoke

  • user_permissions (view permissions)

Thank you! We've received your feedback.