This topic describes how to integrate HBase with Ranger and how to configure related permissions.

Integrate HBase with Ranger

  1. Enable HBase in Ranger.
    1. Log on to the Alibaba Cloud E-MapReduce console.
    2. In the top navigation bar, select the region where your cluster resides. Select the resource group as required. By default, all resources of the account appear.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page that appears, find the target cluster and click Details in the Actions column.
    5. In the left-side navigation pane, click Cluster Service and then RANGER.
    6. Select EnabledHBase from the Actions drop-down list in the upper-right corner.
      Enable HBase PLUGIN
    7. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.
  2. Add the HBase service on the web UI of Ranger.
    1. Log on to Ranger. For more information, see Overview.
    2. Add the HBase service.
      add_hbase
    3. Configure required parameters.
      add_hbase
      Parameter Description
      Service Name Set the value to emr-hbase.
      Username Set the value to hbase.
      Password Enter a custom password.
      hadoop.security.authentication
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      hbase.master.kerberos.principal This parameter is required only for a high-security cluster. Set the value to hbase/_HOST@EMR.${id}.COM.
      Note You can log on to the host and run the hostname command to obtain the value of ${id}. The number in hostname is the value of ${id}.
      hbase.security.authentication
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      hbase.zookeeper.property.clientPort Set the value to 2181.
      hbase.zookeeper.quorum Set the value to emr-header-1,emr-worker-1.
      zookeeper.znode.parent Set the value to /hbase.
      Add New Configurations
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hbase.
    4. Click Add.
  3. Restart HBase.
    1. In the left-side navigation pane, click Cluster Service and then HBase.
    2. Select Restart All Components from the Actions drop-down list in the upper-right corner.
    3. In the Cluster Activities dialog box that appears, set related parameters and click OK.
      Click History in the upper-right corner to view the task progress.

Configure administrator accounts

  1. On the Service Manager page, click emr-hbase.
    view hbase
  2. Configure administrator accounts.
    Administrator accounts are used to run administrative commands, such as the balance, compaction, flush, and split commands.
    Click the edit icon in the Action column for the target policy and add accounts in the Users column. You can also modify the permissions. For example, retain only the Admin permission. You must set hbase as an administrator account.Configure administrator accounts
    If you use Phoenix, you must add an additional policy in Ranger. The following table describes the parameters for the policy.
    Parameter Description
    HBase Column-family *
    HBase Column *
    Select Group public
    Permissions Read, Write, Create, and Admin

Permission configuration example

After HBase is integrated with Ranger, you can configure HBase permissions in Ranger. For example, you can perform the following steps to grant user test the Create, Write, and Read permissions on the foo_ns:test table.

  1. Click emr-hbase.
    Permission configuration example
  2. Click Add New Policy in the upper-right corner.
  3. Configure permissions.
    Parameter Description
    Policy Name The name of the policy. You can customize a name.
    HBase Table The table on which permissions are configured. The value must be in the format of ${namespace}:${tablename}. You can specify multiple tables. Press Enter each time you enter a table name.
    If a table belongs to the default namespace, you do not need to prefix the table name with default. You can enter an asterisk (*) as a wildcard for ${tablename}. For example, foo_ns:* indicates all tables in the foo_ns namespace.
    Note default:* is not supported.
    HBase Column-family The column family.
    HBase Column The name of the column.
    Select Group The user group to which you want to add this policy.
    Select User The user to whom you want to add this policy.
    Permissions The permissions to be granted.
  4. Click Add.
    After the policy is added, authorization is completed. User test can access the foo_ns:test table.
    Note After you add, remove, or modify a policy, it can take up to one minute for the configuration to take effect.