ApsaraDB for HBase Performance-enhanced Edition provides an easy-to-use user management system that allows you to authenticate users and manage permissions based on access control lists (ACLs). If you need to authenticate a user, configure only the username and the password. A password is stored in ciphertext on a server. When a password is sent over a network to authenticate a user, the password is encrypted. This prevents data from being reused or forged if the ciphertext is intercepted.
You can use the User Management module in Cluster management system to efficiently manage users. On the Users page, you can view all users of your cluster. After you create a cluster, the system creates a user that has all permissions on the cluster. You can use this user to manage your cluster. The username and the password of the user are root. You can change the password of the user or delete the user in ClusterManager.
Create a user
- On the Users page of ClusterManager, choose More operations > create user.
- In the dialog box that appears, enter a username and a password, confirm the password, and then click OK. Note
- For ApsaraDB for HBase Performance-enhanced Edition, a password is stored in ciphertext on a server. After you create a user, you cannot view the user password in plaintext. We recommend that you remember the password. If you forget the password, you can only reset the password.
- When a user is created, the user has no permissions. Before you use the user to connect to your cluster, grant the required permissions to the user on the Access Management page.
Change a user password
- On the Users page of ClusterManager, find the user for which you want to change the password and click Change Password in the Actions column.
- In the dialog box that appears, enter a new password and click OK.
Delete a user
Manage permissions based on ACLs
- WRITE permissions: If you have WRITE permissions on tables in ApsaraDB for HBase, you can perform PUT, BATCH, DELETE, INCREMENT, APPEND, and CheckAndMutate operations.
- READ permissions: If you have READ permissions on tables in ApsaraDB for HBase, you can perform GET, SCAN, and EXIST operations. You can also perform getTableDescriptor, listTables, and listNamespaceDescriptors operations. These operations allow you to query table data in ApsaraDB for HBase. The table data includes table descriptors and namespaces.
- ADMIN permissions: If you have ADMIN permissions on tables in ApsaraDB for HBase, you can execute DDL statements to manage tables and namespaces. For example, you can execute the CREATE TABLE, ENABLE TABLE, DISABLE TABLE, and CREATE NAMESPACE statements. However, you do not have permissions to delete tables or delete table data.
- TRASH permissions: You can execute the TRUNCATE TABLE and DELETE TABLE statements only after you are granted the TRASH permissions. This prevents tables or table data from being cleared by mistake.
- SYSTEM permissions: You can execute statements for O&M only after you are granted the SYSTEM permissions. The statements for O&M include COMPACT and FLUSH. Before you use Lindorm Tunnel Service (LTS) to migrate or synchronize data to an ApsaraDB for HBase Performance-enhanced Edition cluster, grant the SYSTEM permissions to the user that you are using.
Grant permissions to a user
- On the Permissions page of ClusterManager, choose More > grant privileges.
- In the grant table privilege dialog box, specify user name, grant namespace, and grant table, select READ in the grant privileges field, and then click OK.
Revoke permissions from a user
You can use the Access Management module of ClusterManager to revoke permissions from a user. Each user can have multiple levels of permissions. You can perform the following steps to revoke permissions from a user:
- On the Permissions page of ClusterManager, find the user that you want to manage and click revoke in the Action column.
- In the revoke privilege dialog box, you can view all permissions of the user. Three levels of permissions are available: global, table, and namespace. Select the permissions that you want to revoke from the user and click OK.