HBase Permission Control Commands

The grant command is used to grant specific permission to a specified user. Its syntax is as follows:

grant <user>, <permissions> [, <@namespace> [, <table> [, <column family> [, <column qualifier>]]]]

The revoke command is used to revoke the permission assigned to a specified user. Its syntax is as follows:

revoke <user> [, <@namespace> [, <table> [, <column family> [, <column qualifier>]]]]

user_permission is used to query permissions. Its syntax is as follows:

user_permission <table> 

The <permissions> has five types of permissions:

• R - can read data within a given range.
• W - can write data within a given range.
• X - can have the execution permission within a given range.
• C - can create or delete tables within a given range (even those are created).
• A - can perform cluster operations, such as balancing loads between clusters or allocating regions within a given range.

For more information about HBase permission control, see Access Control Labels (ACLs) in the official HBase documentation.

Syntax examples:

--Grant the RWXC permission to userA.
grant 'userA', 'RWXC'

--View permissions of a specified table.
user_permission 'table01'

--Revoke the permission assigned to userA.
revoke 'userA'

Authorizing Other Users to Access HBase in a Cluster with IAM Authentication Enabled

Assume that user A wants to access your cluster with IAM authentication enabled. You can perform the following steps to grant permission to user A and revoke the permission.

1. Use the HBase shell to access the cluster. For details, see Deploying a Client in One Click.
2. In the HBase shell, run the following command to grant permission to user A:

   , you can run the following command to authorize the user:

   grant 'User A', 'RWXC'

3. User A uses the HBase shell to access the cluster. For details, see Deploying a Client in One Click.

   When you run the following command to deploy the HBase shell in one click, replace the parameters in the command by referring to the parameter description below.

   source quick_start_hbase_shell.sh $zookeeper_address $user_name $access_key $secret_key

   • $zookeeper_address: Enter the ZooKeeper link of the cluster with IAM authentication enabled you want to access.
   • $user_name: Username used for creating a cluster. If the cluster is created using an account, set $user_name to an account name. If the cluster is created using an IAM user under an account, set $user_name to the IAM username.account name. An account and an IAM user are in a parent-child relationship.
   • $access_key and $secret_key: Enter the AK and SK of user A.

4. After the HBase shell has been deployed in one click, user A can access the HBase shell to create tables and insert data.

   For details about the HBase shell commands, see HBase Shell Commands.

   For example, run the following command to query all tables in HBase:

   list

5. If you want to forbid user A to access the cluster, you can revoke the permission.

   You can run the following command in the HBase shell to revoke the permission:

   revoke 'User A'

Precautions

• If IAM authentication is not enabled in a CloudTable cluster, other users can access HBase in the cluster without authorization.
• If an IAM user under an account creates a CloudTable cluster with IAM authentication enabled, the account to which the IAM user belongs can access HBase in the cluster without authorization to read, write, and query HBase data. The account uses its AK and SK to connect to the ZK link of the IAM user's cluster.