This is the documentation for CDH 4.7.0.
Documentation for other versions is available at Cloudera Documentation.

Configuring HBase Authorization

After you have configured HBase authentication as described in the previous section, you must establish authorization rules for the resources that a client is allowed to access. In this release, HBase only allows you to establish authorization rules on a column or table level. Authorization at the row or cell-level is currently not possible.

Enable HBase Authorization

HBase Authorization is built on top of the Coprocessors framework, specifically AccessContoller Coprocessor.

To enable HBase authorization, add the following properties to the hbase-site.xml file on every HBase server host (Master or Region Server):

 
<property>
     <name>hbase.security.authorization</name>
     <value>true</value>
</property>
<property>
     <name>hbase.coprocessor.master.classes</name>
     <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
     <name>hbase.coprocessor.region.classes</name>
     <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
</property>

Configure Access Control Lists for Authorization

Now that HBase has the security coprocessor enabled, you can set ACLs via the HBase shell. Start the HBase shell as usual.

  Important:

The host running the shell must be configured with a keytab file for ZooKeeper, as described in the previous section.

The commands that control ACLs are of the form of:

grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ]    #grants permissions
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ]   # revokes permissions 
user_permission <table>  # displays existing permissions

In the above commands, fields encased in <> are variables, and fields in [] are optional. The permissions variable must consist of zero or more character from the set "RWCA".

  • R denotes read permissions, which is required to perform Get, Scan, or Exists calls
  • W denotes write permissions, which is required to perform Put, Delete, LockRow, UnlockRow, IncrementColumnValue, CheckAndDelete, CheckAndPut, Flush, or Compact
  • C denotes create permissions, which is required to perform Create, Alter, or Drop
  • A denotes admin permissions, which is required to perform Enable, Disable, Snapshot, Restore, Clone, Split, MajorCompact, Grant, Revoke, and Shutdown.

For example:

grant 'user1', 'RWC'
grant 'user2', 'RW', 'tableA'

It is also possible for the hbase superuser to grant a user global permissions to create tables as well as other operations.