Without access control, all accounts on an HBase cluster can perform any operation—including disabling tables, dropping tables, and running major compactions. HBase access control list (ACL) lets you grant fine-grained operation permissions on specific resources to individual users or groups, so you can enforce least-privilege access across your cluster.
Prerequisites
Before you begin, ensure that you have:
An EMR on ECS cluster with the HBase service deployed
On clusters without Kerberos authentication, users can forge identities to access cluster services even after ACL is enabled. We recommend that you create clusters with Kerberos authentication enabled to ensure high security. For more information, see Overview.
Key concepts
HBase ACL controls access by combining three dimensions: the scope of the resource, the type of operation, and the entity being granted access.
Permission scopes
| Scope | Description |
|---|---|
| Superuser | Can perform all operations. By default, the account that runs HBase is a superuser. To add a superuser, set the hbase.superuser parameter in hbase-site.xml. |
| Global | Admin permissions on all tables in the cluster. |
| Namespace | Access control at the namespace level. |
| Table | Access control at the table level. |
| ColumnFamily | Access control at the column family level. |
| Cell | Access control at the cell level. |
Operation permissions
| Permission | Code | Description |
|---|---|---|
| Read | R | Reads data from resources in a specific scope. |
| Write | W | Writes data to resources in a specific scope. |
| Execute | X | Executes coprocessors in a specific scope. |
| Create | C | Creates or deletes tables in a specific scope. |
| Admin | A | Performs cluster-related operations, such as balance or assignment, in a specific scope. |
Entities
| Entity | Description |
|---|---|
| User | A single user account |
| Group | A user group, prefixed with @ in HBase shell commands |
Configure and enable HBase ACL
Step 1: configure hbase-site.xml
Log on to the EMR console and go to the EMR on ECS page.
In the top navigation bar, select the region where your cluster resides and select a resource group.
Find the target cluster and click Services in the Actions column.
On the Services tab, find the HBase service and click Configure.
Click the hbase-site.xml tab.
Add or modify the following configuration items:
Key Value hbase.security.authorizationtruehbase.coprocessor.master.classesorg.apache.hadoop.hbase.security.access.AccessControllerhbase.coprocessor.region.classesorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessControllerhbase.coprocessor.regionserver.classesorg.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider
Step 2: restart the HBase service
In the upper-right corner of the HBase service page, choose More > Restart.
In the dialog box, fill in the Execution Reason field and click OK.
In the Confirm dialog, click OK.
After the service restarts, ACL is active for all subsequent HBase operations.
Manage permissions with HBase shell
Open HBase shell and use the following commands to grant, revoke, and inspect permissions.
Command syntax
grant <user> <permissions> [<@namespace> [<table> [<column family> [<column qualifier>]]]]
revoke 'trafodion'
user_permission <table>Use
<permissions>as a combination of permission codes:R,W,X,C,A.Prefix a group name with
@to grant permissions to a user group (for example,@testgrp).Prefix a namespace with
@to scope a grant to the namespace level (for example,@ns_1).
Examples
Grant Read permission on table tbl1 to user test:
grant 'test', 'R', 'tbl1'Grant Read permission on table tbl1 to user group testgrp:
grant '@testgrp', 'R', 'tbl1'Grant Create permission on namespace ns_1 to user test:
grant 'test', 'C', '@ns_1'Revoke all permissions from user trafodion:
revoke 'trafodion'Query all permissions on table TABLE_A:
user_permission 'TABLE_A'What's next
To configure Kerberos authentication for your cluster, see Overview.