This topic describes how to integrate HBase with Ranger and how to configure related permissions.

Prerequisites

A cluster is created and the HBase and Ranger services are selected when you create the cluster. For more information, see Create a cluster.

Integrate HBase with Ranger

  1. Go to the Services tab.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region in which your cluster resides and select a resource group.
    3. On the EMR on ECS page, find the cluster that you want to manage and click Services in the Actions column.
  2. Enable HBase for Ranger.
    1. On the Services tab, click Status in the Ranger section.
    2. In the Components section, find the RangerRuntime component and click enableHBase in the Actions column.
    3. In the dialog box that appears, configure the Execution Reason parameter and click OK.
    4. In the Confirm message, click OK.
  3. View the HBase service on the Ranger UI.
    1. Log on to the Ranger UI. For more information, see Access the Ranger UI.
    2. Click emr-hbase.
      After you enable HBase for Ranger, an HBase service named emr-hbase is automatically created.
    3. View the information about the HBase service. The following table describes the parameters of the HBase service.
      You can modify the parameters based on your business requirements.
      Parameter Description
      Service Name The name of the service. Set the value to emr-hbase.
      Username The username that is used to log on to the HBase service. In this example, hbase is used.
      Password The password that is used to log on to the HBase service. You can specify a custom password.
      hadoop.security.authentication
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      hbase.master.kerberos.principal This parameter is required only for a high-security cluster. Set the value to hbase/_HOST@EMR.${CLUSTER_ID}.COM.
      Note To obtain the value of the ${CLUSTER_ID} parameter, log on to the server and run the hostname command. Convert the string that follows 'c-' after '.' in the hostname to uppercase to obtain the value of ${CLUSTER_ID}.
      hbase.security.authentication
      • Select Simple for a standard cluster.
      • Select Kerberos for a high-security cluster.
      hbase.zookeeper.property.clientPort Set the value to 2181.
      hbase.zookeeper.quorum Set the value to master-1-1.
      zookeeper.znode.parent Set the value to /hbase.
      Add New Configurations
      • Name: Set the value to policy.download.auth.users.
      • Value: Set the value to hbase.
  4. Restart HBase.
    1. On the Services tab, click Status in the HDFS section.
    2. In the Components section, find the NameNode component and choose more > Restart in the Actions column.
    3. In the dialog box that appears, configure the Execution Reason parameter and click OK.
    4. In the Confirm message, click OK.

Configure administrator accounts

  1. Log on to the Ranger UI. For more information, see Access the Ranger UI.
  2. Click emr-hbase.
  3. Grant users the Admin permission to run management commands.
    The Admin permission allow users to run management commands, such as balance, compaction, flush, and split. Click the modify icon in the Action column for the existing permission policy, and then add administrator accounts. You can also modify the permissions. For example, you can retain only the Admin permission. You must set hbase as an administrator account. Hbase ranger
    If you want to use Phoenix, you must add an additional policy in Ranger. The following table describes the parameters for the policy.
    Parameter Example
    HBase Table SYSTEM.*
    HBase Column-family Asterisk (*)
    HBase Column Asterisk (*)
    Select Group public
    Permissions Read, Write, Create, and Admin

Permission configuration example

In this example, the Write and Execute permissions on the foo_ns:test table are granted to a user named test.

  1. Log on to the Ranger UI. For more information, see Access the Ranger UI.
  2. Click emr-hbase.
  3. Click Add New Policy in the upper-right corner.
  4. Configure the permission parameters.
    Parameter Description
    Policy Name The name of the policy. You can specify a custom name.
    HBase Table The table on which permissions are granted. Set the value in the format of ${namespace}:${tablename}. You can specify multiple tables. Press the Enter key each time you enter a table name.
    HBase Column-family The column family. For example, set this parameter to *.
    HBase Column The name of the column. For example, set this parameter to *.
    Select Group The user group to which you want to attach the policy.
    Select User The user to whom you want to attach the policy, such as test.
    Permissions The permissions that you want to grant, such as Read, Write, Create, and Admin.
  5. Click Add.
    After the policy is added, the test user is granted the specified permissions. The test user can access the foo_ns:test table.
    Note After you add, remove, or modify a policy, it takes about one minute for the configuration to take effect.