If HBase authorization is not enabled, all accounts can access HBase clusters to perform any operation, such as disabling tables, dropping tables, or performing major compaction.

Background information

For clusters without Kerberos authentication, users can use a forged identity to access cluster services. This is the case even if HBase authorization is enabled. We recommend that you create a high-security cluster with Kerberos authentication enabled. For more information, see Introduction to Kerberos.

Go to the Configure tab for HBase

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click the Cluster Management tab.
  4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  5. In the left-side navigation pane, choose Cluster Service > HBase.
  6. Click the Configure tab.

Configure parameters

  1. In the Service Configuration section, click the hbase-site tab.
  2. Click Custom Configuration in the upper-right corner and configure the parameters listed in the following table.
    Key Value
    hbase.security.authorization true
    hbase.coprocessor.master.classes org.apache.hadoop.hbase.security.access.AccessController
    hbase.coprocessor.region.classes org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController
    hbase.coprocessor.regionserver.classes org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider

Restart the HBase cluster

  1. In the upper-right corner of the Hbase page, choose Actions > Restart All Components.
  2. In the Cluster Activities dialog box, configure relevant parameters and click OK. In the Confirm message, click OK.
    Click History in the upper-right corner to view the task progress.

Authorization (ACL)

  • Basic concepts

    Authorization refers to the process of granting [operation permissions] on [resources in a scope] to [an entity].

    The following tables describe the basic concepts in the HBase.

    • Resources within a scope
      Name Description
      Superuser A superuser can perform any operation. By default, the account that runs HBase is a superuser. You can set the hbase.superuser parameter in the hbase-site.xml file to add a superuser.
      Global Admin permission on all tables in a cluster.
      Namespace Access control at the namespace level.
      Table Access control at the table level.
      ColumnFamily Access control at the column family level.
      Cell Access control at the cell level.
    • Operation permissions
      Name Description
      Read (R) Reads data from resources in a specific scope.
      Write (W) Writes data to resources in a specific scope.
      Execute (X) Executes coprocessors in a specific scope.
      Create (C) Creates or deletes tables in a specific scope.
      Admin (A) Performs cluster-related operations, such as balance or assignment, in a specific scope.
    • Entity
      Name Description
      User Authorizes a user.
      Group Authorizes a user group.
  • Authorization commands
    • grant
      grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]
      • The authorization methods for users and user groups are similar. The only difference is that you must add an at sign (@) as the prefix of user group names.
        grant 'test','R','tbl1'   # Grant the Read permission on table tbl1 to user test.
        grant '@testgrp','R','tbl1' # Grant the Read permission on table tbl1 to user group testgrp.
      • You must add an at sign (@) as the prefix of namespaces.
        grant 'test','C','@ns_1'  # Grant the Create permission on namespace ns_1 to user test.
    • revoke
      revoke 'trafodion'  # Revoke all permissions from user trafodion.
    • user_permission
      user_permission 'TABLE_A'  # Query all permissions on table TABLE_A.