Configuring HBase Authorization
After you have configured HBase authentication as described in the previous section, you must establish authorization rules for the resources that a client is allowed to access. In this release, HBase only allows you to establish authorization rules on a column or table level. Authorization at the row or cell-level is currently not possible.
Enable HBase Authorization
HBase Authorization is built on top of the Coprocessors framework, specifically AccessContoller Coprocessor.
To enable HBase authorization, add the following properties to the hbase-site.xml file on every HBase server host (Master or Region Server):
<property> <name>hbase.security.authorization</name> <value>true</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> </property>
Configure Access Control Lists for Authorization
Now that HBase has the security coprocessor enabled, you can set ACLs via the HBase shell. Start the HBase shell as usual.
The host running the shell must be configured with a keytab file for ZooKeeper, as described in the previous section.
The commands that control ACLs are of the form of:
grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ] #grants permissions revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ] # revokes permissions user_permission <table> # displays existing permissions
In the above commands, fields encased in <> are variables, and fields in  are optional. The permissions variable must consist of zero or more character from the set "RWCA".
- R denotes read permissions, which is required to perform Get, Scan, or Exists calls
- W denotes write permissions, which is required to perform Put, Delete, LockRow, UnlockRow, IncrementColumnValue, CheckAndDelete, CheckAndPut, Flush, or Compact
- C denotes create permissions, which is required to perform Create, Alter, or Drop
- A denotes admin permissions, which is required to perform Enable, Disable, Snapshot, Restore, Clone, Split, MajorCompact, Grant, Revoke, and Shutdown.
grant 'user1', 'RWC' grant 'user2', 'RW', 'tableA'
It is also possible for the hbase superuser to grant a user global permissions to create tables as well as other operations.