ApsaraDB for HBase Performance-enhanced Edition provides an easy-to-use user management system that allows you to authenticate users and manage permissions based on access control lists (ACLs). If you need to authenticate a user, configure only the username and the password. A password is stored in ciphertext on a server. When a password is sent over a network to authenticate a user, the password is encrypted. This prevents data from being reused or forged if the ciphertext is intercepted.

You can use the User Management module in Cluster management system to efficiently manage users. On the Users page, you can view all users of your cluster. After you create a cluster, the system creates a user that has all permissions on the cluster. You can use this user to manage your cluster. The username and the password of the user are root. You can change the password of the user or delete the user in ClusterManager.

Create a user

  1. On the Users page of ClusterManager, choose More operations > create user. User management
  2. In the dialog box that appears, enter a username and a password, confirm the password, and then click OK. Create a user
    Note
    • For ApsaraDB for HBase Performance-enhanced Edition, a password is stored in ciphertext on a server. After you create a user, you cannot view the user password in plaintext. We recommend that you remember the password. If you forget the password, you can only reset the password.
    • When a user is created, the user has no permissions. Before you use the user to connect to your cluster, grant the required permissions to the user on the Access Management page.

Change a user password

  1. On the Users page of ClusterManager, find the user for which you want to change the password and click Change Password in the Actions column. user
  2. In the dialog box that appears, enter a new password and click OK. Change a password

Delete a user

On the Users page of ClusterManager, find the user that you want to delete and click delete in the Actions column. Delete a user

Manage permissions based on ACLs

Permission types

For ApsaraDB for HBase Performance-enhanced Edition, the system determines whether a user can perform an operation based on the user permissions. For example, you grant User 1 only the read-only permissions on Table 1. If you use User 1 to write data to Table 1, an error message is returned. If you use User 1 to perform read and write operations on Table 2, access is denied. ApsaraDB for HBase Performance-enhanced Edition supports the following permission types:
  • WRITE permissions: If you have WRITE permissions on tables in ApsaraDB for HBase, you can perform PUT, BATCH, DELETE, INCREMENT, APPEND, and CheckAndMutate operations.
  • READ permissions: If you have READ permissions on tables in ApsaraDB for HBase, you can perform GET, SCAN, and EXIST operations. You can also perform getTableDescriptor, listTables, and listNamespaceDescriptors operations. These operations allow you to query table data in ApsaraDB for HBase. The table data includes table descriptors and namespaces.
  • ADMIN permissions: If you have ADMIN permissions on tables in ApsaraDB for HBase, you can execute DDL statements to manage tables and namespaces. For example, you can execute the CREATE TABLE, ENABLE TABLE, DISABLE TABLE, and CREATE NAMESPACE statements. However, you do not have permissions to delete tables or delete table data.
  • TRASH permissions: You can execute the TRUNCATE TABLE and DELETE TABLE statements only after you are granted the TRASH permissions. This prevents tables or table data from being cleared by mistake.
  • SYSTEM permissions: You can execute statements for O&M only after you are granted the SYSTEM permissions. The statements for O&M include COMPACT and FLUSH. Before you use Lindorm Tunnel Service (LTS) to migrate or synchronize data to an ApsaraDB for HBase Performance-enhanced Edition cluster, grant the SYSTEM permissions to the user that you are using.
Note ApsaraDB for HBase Performance-enhanced Edition has three levels of permissions: global, namespace, and table. The three levels of permissions overlap with each other. For example, if you grant read and write permissions at the global level to User 1, User 1 can perform read and write operations on all tables in all namespaces. If you grant read and write permissions on Namespace 1 to User 2, User 2 can perform read and write operations on all tables in Namespace 1. This indicates that User 2 can perform read and write operations on the newly created tables in Namespace 1. Only a user that has the ADMIN permissions at the global level can create or delete namespaces.

Grant permissions to a user

You can use the Access Management module of ClusterManager to grant permissions to a user. If you need to grant a user the read permissions on a table, perform the following steps:
  1. On the Permissions page of ClusterManager, choose More > grant privileges. Permissions on a table
  2. In the grant table privilege dialog box, specify user name, grant namespace, and grant table, select READ in the grant privileges field, and then click OK. grant table privilege

Revoke permissions from a user

You can use the Access Management module of ClusterManager to revoke permissions from a user. Each user can have multiple levels of permissions. You can perform the following steps to revoke permissions from a user:

  1. On the Permissions page of ClusterManager, find the user that you want to manage and click revoke in the Action column. revoke
  2. In the revoke privilege dialog box, you can view all permissions of the user. Three levels of permissions are available: global, table, and namespace. Select the permissions that you want to revoke from the user and click OK. revoke privilege

Enable or disable the ACL feature

The ACL feature provides user authentication for access control. You can disable the ACL feature based on your business requirements. After you disable the ACL feature, you do not need to provide a username or a password for subsequent access requests. For example, you do not need to authenticate the user that you are using when you make API calls, execute SQL statements, or use a non-Java method to connect to a cluster. No limits are imposed when you perform these operations. The settings of the ACL feature immediately take effect. You do not need to restart the cluster. However, if the ACL feature is disabled and you need to enable the feature, you must provide a username and a password to connect to the cluster. Otherwise, the client cannot be authenticated and an error message is returned. If the username and the password that you provide are valid, the client is authenticated and the connection is established. However, if you attempt to perform operations on which you have no permissions, access is denied. Enable or disable the ACL feature