Configuring HBase Authorization | 6.3.x (2023)

After configuring HBase authentication (as detailed in HBase Configuration), you must define rules on resources that isallowed to access. HBase rules can be defined for individual tables, columns, and cells within a table. Cell-level authorization is fully supported since CDH 5.2.

Continue reading:

  • Understanding HBase Access Levels
  • Enable HBase Authorization
  • Configure Access Control Lists for Authorization
  • Auditing HBase Authorization Grants

Understanding HBase Access Levels

HBase access levels are granted independently of each other and allow for different types of operations at a given scope.

  • Read (R) - can read data at the given scope
  • Write (W) - can write data at the given scope
  • Execute (X) - can execute coprocessor endpoints at the given scope
  • Create (C) - can create tables or drop tables (even those they did not create) at the given scope
  • Admin (A) - can perform cluster operations such as balancing the cluster or assigning regions at the given scope
(Video) Hadoop Tutorials - Kerberos Authentication - Part 1

The possible scopes are:

  • Superuser - superusers can perform any operation available in HBase, to any resource. The user who runs HBase on your cluster is a superuser, as are anyprincipals assigned to the configuration property hbase.superuser in hbase-site.xml on the HMaster.
  • Global - permissions granted at global scope allow the admin to operate on all tables of the cluster.
  • Namespace - permissions granted at namespace scope apply to all tables within a given namespace.
  • Table - permissions granted at table scope apply to data or metadata within a given table.
  • ColumnFamily - permissions granted at ColumnFamily scope apply to cells within that ColumnFamily.
  • Cell - permissions granted at Cell scope apply to that exact cell coordinate. This allows for policy evolution along with data. To change an ACL on aspecific cell, write an updated cell with new ACL to the precise coordinates of the original. If you have a multi-versioned schema and want to update ACLs on all visible versions, you'll need towrite new cells for all visible versions. The application has complete control over policy evolution. The exception is append and increment processing. Appends and increments can carry an ACL in the operation. If one is included in the operation,then it will be applied to the result of the append or increment. Otherwise, the ACL of the existing cell being appended to orincremented is preserved.

The combination of access levels and scopes creates a matrix of possible access levels that can be granted to a user. In a production environment, it is useful to think of accesslevels in terms of what is needed to do a specific job. The following list describes appropriate access levels for some common types of HBase users. It is important not to grant more access than isrequired for a given user to perform their required tasks.

  • Superusers - In a production system, only the HBase user should have superuser access. In a development environment, an administrator might need superuseraccess to quickly control and manage the cluster. However, this type of administrator should usually be a Global Admin rather than a superuser.
  • Global Admins - A global admin can perform tasks and access every table in HBase. In a typical production environment, anadmin should not have Read or Write permissions to data within tables.

    • A global admin with Admin permissions can perform cluster-wide operations on the cluster, such as balancing, assigning or unassigning regions, or callingan explicit major compaction. This is an operations role.

      (Video) Apache HBase Connector: Feature Rich and Efficient Access to HBase through Spark SQL - Weiqing Yang

    • A global admin with Create permissions can create or drop any table within HBase. This is more of a DBA-type role.

    In a production environment, it is likely that different users will have only one of Admin and Create permissions.

  • Namespace Admin - a namespace admin with Create permissions can create or drop tables within that namespace, and take and restore snapshots. A namespaceadmin with Admin permissions can perform operations such as splits or major compactions on tables within that namespace. Prior to CDH 5.4, only global admins could create namespaces. In CDH 5.4, anyuser with Namespace Create privileges can create namespaces.
  • Table Admins - A table admin can perform administrative operations only on that table. A table admin with Createpermissions can create snapshots from that table or restore that table from a snapshot. A table admin with Admin permissions can perform operations such as splits ormajor compactions on that table.
  • Users - Users can read or write data, or both. Users can also execute coprocessor endpoints, if given Executablepermissions.

The following table shows some typical job descriptions at a hypothetical company and the permissions they might require to get their jobs done using HBase.

Real-World Example of Access Levels
Job TitleScopePermissionsDescription
Senior AdministratorGlobalAdmin, CreateManages the cluster and gives access to Junior Administrators.
Junior AdministratorGlobalCreateCreates tables and gives access to Table Administrators.
Table AdministratorTableAdminMaintains a table from an operations point of view.
Data AnalystTableReadCreates reports from HBase data.
Web ApplicationTableRead, WritePuts data into HBase and uses HBase data to perform operations.

Enable HBase Authorization

HBase authorization is built on top of the Coprocessors framework, specifically AccessController Coprocessor.

(Video) Evaluating installed HBase service

  1. Go to Clusters and select the HBase cluster.
  2. Select Configuration.
  3. Search for HBase Secure Authorization and select it.
  4. Search for HBase Service Advanced Configuration Snippet (Safety Valve) for hbase-site.xml and enter the following into it to enable Without this option, all users will continue to have access to execute endpoint coprocessors. This option is not enabled when you enableHBase Secure Authorization for backward compatibility.
    <property> <name></name> <value>true</value></property>
  5. Optionally, search for and configure HBase Coprocessor Master Classes and HBase Coprocessor Region Classes.

Configure Access Control Lists for Authorization

Now that HBase has the security coprocessor enabled, you can set ACLs using the HBase shell. Start the HBase shell as usual.

The commands that control ACLs take the following form. Group names are prefixed with the @ symbol.

hbase> grant <user> <permissions> [ @<namespace> [ <table>[ <column family>[ <column qualifier> ] ] ] ] # grants permissionshbase> revoke <user> [ @<namespace> [ <table> [ <column family> [ <column qualifier> ] ] ] # revokes permissionshbase> user_permission <table> # displays existing permissions

In the above commands, fields encased in <> are variables, and fields in [] are optional. The permissions variable must consist of zero or more character from the set "RWCA".

  • R denotes read permissions, which is required to perform Get, Scan, or Exists calls in a given scope.
  • W denotes write permissions, which is required to perform Put, Delete, LockRow, UnlockRow, IncrementColumnValue, CheckAndDelete, CheckAndPut, Flush, or Compact in a given scope.
  • X denotes execute permissions, which is required to execute coprocessor endpoints.
  • C denotes create permissions, which is required to perform Create, Alter, or Drop in a given scope.
  • A denotes admin permissions, which is required to perform Enable, Disable, Snapshot, Restore, Clone, Split, MajorCompact,Grant, Revoke, and Shutdown in a given scope.

Access Control List Example Commands

grant 'user1', 'RWC'grant 'user2', 'RW', 'tableA'grant 'user3', 'C', '@my_namespace'

Be sure to review the information in Understanding HBase Access Levels to understand the implications of thedifferent access levels.

(Video) Hive Authorization Using Apache Ranger

Configure Cell_Level Access Control Lists

If you wish to enable cell-level ACLs for HBase, then you must modify the default values for the following properties: => true (the default value is false) => false (the default value is true)hfile.format.version => 3 (the default value is 2)

Unless you modify the default properties as specified (or via the service-wide HBase Service Advanced Configuration Snippet (Safety Valve) forhbase-site.xml, which requires a service restart), then cell level ACLs will not work.

The following example shows how to grant (or revoke) HBase permissions (in this case, read permission) at the cell-level via an ACL:

grant 'Employee', { '' => 'R' }, { COLUMNS => [ 'pd' ], FILTER => "(PrefixFilter ('T'))" }

Auditing HBase Authorization Grants

When Cloudera Navigator collects HBase audits (enabled by default in Cloudera Manager), each time a grant occurs, Navigator collects an audit event for the grant. The audit includes theinformation in the following table:

IDAutomatically generated and incremented ID.
SERVICE_NAMEHBase service name as shown in Cloudera Manager.
ALLOWEDWhether the request to perform an operation failed or succeeded. A failure occurs if the user is not authorized to perform theaction.
USERNAMEUsername for the account that performed the operation. Depending on how HBase is configured, this can be the service user.
IMPERSONATORIf HBase is configured for the service user to impersonate the user performing an operation, the impersonated user appears inUSERNAME and the service name appears in this field.
IP_ADDRIP address of the HBase service.
EVENT_TIMEEvent occurrence in milliseconds in epoch time format.
TABLE_NAMEThe object that is the target of the operation, if appropriate.
FAMILYThe column family that is the object of the operation, if appropriate.
QUALIFIERThe column that is the object of the operation, if appropriate.
OPERATIONThe operation command.

For information on other HBase commands audited through Cloudera Navigator, see Cloudera Navigator Service AuditEvents.

(Video) Apache HBase 101: How HBase Can Help You Build Scalable, Distributed Java Applications


1. Connection refused error when running HIVE in Hadoop EcoSystem
(Commands Tech)
2. Controlling HDFS permission using Ranger
(NextGen Learning)
3. [HBaseCon East 2016] Session 5: Practical Kerberos with Apache HBase
(HBaseCon East 2016)
4. Hadoop Tutorial - File Permission and ACL
(Learning Journal)
5. Using HBase Coprocessors to Build a Distributed, Transactional RDBMS
(Jim Scott)
6. HBaseCon 2013: Multi-tenant Apache HBase at Yahoo!
(Sumeet Singh)
Top Articles
Latest Posts
Article information

Author: Kerri Lueilwitz

Last Updated: 04/30/2023

Views: 5850

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.