All Products
Search
Document Center

E-MapReduce:Enable HBase in Ranger and configure related permissions

Last Updated:Jul 25, 2023

This topic describes how to enable HBase in Ranger and how to configure the related permissions.

Prerequisites

A cluster is created and the HBase and Ranger services are selected when you create the cluster. For more information, see Create a cluster.

Procedure

  1. Go to the Services tab.

    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.

    2. In the top navigation bar, select the region in which your cluster resides and select a resource group.

    3. On the EMR on ECS page, find the desired cluster and click Services in the Actions column.

  2. Enable HBase in Ranger.

    1. On the Services tab of the page that appears, click Status in the Ranger-plugin section.

    2. In the Service Overview section of the Status tab, turn on enableHBase.

    3. In the message that appears, click OK.

  3. View the HBase service on the web UI of Ranger.

    1. Access the web UI of Ranger. For more information, see Access the web UI of Ranger.

    2. Click emr-hbase.

      After you enable HBase in Ranger, an HBase service named emr-hbase is automatically created.

    3. Modify the parameters based on your business requirements.

      The following figure shows the information about the HBase service. hbase

      The following table describes the parameters of the HBase service.

      Parameter

      Description

      Service Name

      The name of the service. Set the value to emr-hbase.

      Username

      The username that is used to access the HBase service. In this example, hbase is used.

      Password

      The password that is used to access the HBase service. You can specify a custom password.

      hadoop.security.authentication

      • Select simple for a standard cluster (a non-high-security cluster).

      • Select Kerberos for a high-security cluster.

      hbase.master.kerberos.principal

      This parameter is required only for a high-security cluster. Set the value to hbase/_HOST@EMR.${CLUSTER_ID}.COM.

      Note

      To obtain the value of ${CLUSTER_ID}, you need to log on to the host and run the hostname command to obtain the hostname first. Then, convert the string that follows a period (.) and starts with c- into uppercase to obtain a string that starts with C-. The obtained string is the value of ${CLUSTER_ID}.

      hbase.security.authentication

      • Select simple for a standard cluster (a non-high-security cluster).

      • Select Kerberos for a high-security cluster.

      hbase.zookeeper.property.clientPort

      Set the value to 2181.

      hbase.zookeeper.quorum

      Set the value to master-1-1.

      zookeeper.znode.parent

      Set the value to /hbase.

      Add New Configurations

      • Name: Set the value to policy.download.auth.users.

      • Value: Set the value to hbase.

  4. Restart HBase.

    1. On the Services tab, click the More icon and select HBase.

    2. In the upper-right corner, choose More > Restart.

    3. In the dialog box that appears, configure the Execution Reason parameter and click OK.

    4. In the Confirm message, click OK.

Configure administrator accounts

  1. Access the web UI of Ranger. For more information, see Access the web UI of Ranger.

  2. Click emr-hbase.

  3. Grant users the Admin permission to run management commands.

    The Admin permission allows users to run management commands, such as balance, compaction, flush, and split. Click the modify icon in the Action column for the existing permission policy, and then add administrator accounts. You can also modify the permissions. For example, you can retain only the Admin permission. You must set hbase as an administrator account. Hbase ranger

    If you want to use Phoenix, you must add an additional policy in Ranger. The following table describes the parameters for the policy.

    Parameter

    Example

    HBase Table

    SYSTEM.*

    HBase Column-family

    Asterisk (*)

    HBase Column

    Asterisk (*)

    Select Group

    public

    Permissions

    Read, Write, Create, and Admin

Configure permissions

For example, you can perform the following steps to grant the test user the Create, Write, and Read permissions on the foo_ns:test table:

  1. Access the web UI of Ranger. For more information, see Access the web UI of Ranger.

  2. Click emr-hbase.

  3. Click Add New Policy in the upper-right corner.

  4. Configure the parameters based on your business requirements. The following table describes the parameters.

    Parameter

    Description

    Policy Name

    The name of the policy. You can specify a custom name.

    HBase Table

    The table on which permissions are configured. The value must be in the format of ${namespace}:${tablename}. You can specify multiple tables. Press Enter each time you enter a table name. In this example, the foo_ns:test table is used.

    If ${namespace} is set to default, the value of this parameter is specified in the ${tablename} format. You do not need to add default in the parameter value. The value of this parameter can contain asterisks (*). For example, foo_ns:* indicates all tables in foo_ns.

    Note

    default:* is not supported.

    HBase Column-family

    The column family. For example, set this parameter to *.

    HBase Column

    The name of the column. For example, set this parameter to *.

    Select Group

    The user group to which you want to attach the policy.

    Select User

    The user to whom you want to attach the policy. Example: test.

    Permissions

    The permissions that you want to grant. Example: Read, Write, Create, and Admin.

  5. Click Add.

    After the policy is added, the test user is granted the specified permissions. The test user can access the foo_ns:test table.

    Note

    After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.