Creating HBase Roles
Scenario
Create and configure an HBase role on Manager as an MRS cluster administrator. The HBase role can set HBase administrator permissions and read (R), write (W), create (C), execute (X), or manage (A) permissions for HBase tables and column families.
Users can create a table, query/delete/insert/update data, and authorize others to access HBase tables after they set the corresponding permissions for the specified databases or tables on HDFS.
- This section applies to MRS 3.x or later.
- HBase roles can be created in security mode, but cannot be created in normal mode.
- If the current component uses Ranger for permission control, you need to configure related policies based on Ranger for permission management. For details, see Adding a Ranger Access Permission Policy for HBase.
Prerequisites
- The MRS cluster administrator has understood service requirements.
- You have logged in to Manager.
Procedure
- On Manager, choose System > Permission > Role.
- On the displayed page, click Create Role and enter a Role Name and Description.
- Set Permission. For details, see Table 1.
HBase permissions:
- HBase Scope: Authorizes HBase tables. The minimum permission is read (R) and write (W) for columns.
- SUPER_USER_GROUP: HBase administrator permissions.
Users have the read (R), write (W), create (C), execute (X), and administrate (A) permissions for the tables created by themselves.
Table 1 Setting a role Task
Role Authorization
Setting the HBase administrator permission
In Configure Resource Permission, choose Name of the desired cluster > HBase and select HBase Administrator Permission.
Setting the permission for users to create tables
- In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope.
- Click global.
- In the Permission column of the specified namespace, select Create and Execute. For example, select Create and Execute for the default namespace default.
Setting the permission for users to write data to tables
- In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
- In the Permission column of the specified namespace, select Write. For example, select Write for the default namespace default. By default, HBase sub-objects inherit the permission from the parent object.
Setting the permission for users to read data from tables
- In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
- In the Permission column of the specified namespace, select Read. For example, select Read for the default namespace default. By default, HBase sub-objects inherit the permission from the parent object.
Setting the permission for users to manage namespaces or tables
- In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
- In the Permission column of the specified namespace, select admin. For example, select admin for the default namespace default.
Setting the permission for reading data from or writing data to columns
- In Configure Resource Permission, select Name of the desired cluster > HBase > HBase Scope > global and click the specified namespace to display the tables in the namespace.
- Click a table.
- Click a column family.
- Confirm whether you want to create a role?
- If yes, enter the column name in the Resource Name text box. Use commas (,) to separate multiple columns. Select Read or Write. If there are no columns with the same name in the HBase table, a newly created column with the same name as the existing column has the same permission as the existing one. The column permission is set successfully.
- If no, modify the column permission of the existing HBase role. The columns for which the permission has been separately set are displayed in the table. Go to 5.
- To add column permissions for a role, enter the column name in the Resource Name text box and set the column permissions. To modify column permissions for a role, enter the column name in the Resource Name text box and set the column permissions. Alternatively, you can directly modify the column permissions in the table. If the column permissions are modified in the table and column permissions with the same name are added, the settings cannot be saved. You are advised to modify the column permission of a role directly in the table. The search function is supported.
- Click OK, and return to the Role page.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.