Updated on 2024-10-08 GMT+08:00

Configuring HBase Access Permissions in Ranger

After an MRS cluster with Ranger installed is created, HBase access control is not integrated into Ranger. This section describes how to integrate HBase into Ranger.

  1. Log in to the Ranger web UI.
  2. In the Service Manager area, click next to HBASE to add an HBase service.

    Figure 1 Adding an HBase service

  3. Set the parameters for adding an HBase service according to Table 1. Use the default values for the parameters that are not listed in the table.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Service Name

    Name of the service to be created. The value is fixed to hbasedev.

    hbasedev

    Username

    Set it based on the site requirements.

    admin

    Password

    Set it based on the site requirements.

    -

    hadoop.security.authentication

    HBase authentication mode. The value is fixed to Simple.

    Simple

    hbase.security.authentication

    HBase authentication mode. The value is fixed to Simple.

    Simple

    hbase.zookeeper.property.clientPort

    Port number of ZooKeeper in the HBase cluster.

    2181

    hbase.zookeeper.quorum

    ZooKeeper address in the HBase cluster.

    192.168.0.7,192.168.0.8,192.168.0.9

    zookeeper.znode.parent

    Path of the root node of HBase in ZooKeeper. The value is fixed to /hbase.

    /hbase

    Figure 2 Creating hbasedev

  4. Click Add to add the service.
  5. Start the Ranger HBase plugin to authorize Ranger to manage HBase.

    1. On the MRS management console, click the cluster name to go to the cluster details page.
    2. Click the Components tab.
    3. Choose HBase > Service Configuration and switch Basic to All.
    4. Search for hbase.security.authorization and change its value to true (select the first HBase parameter).
      Figure 3 Modifying hbase.security.authorization
    5. Search for hbase.coprocessor.master.classes and append ,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor to its original value.
      Figure 4 hbase.coprocessor.master.classes
    6. Search for hbase.coprocessor.region.classes and append ,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor to its original value.
      Figure 5 hbase.coprocessor.region.classes
    7. Click Save Configuration and select Restart the affected services or instances to restart the HMaster and RegionServer instances.

  6. Create a policy under HBase Service hbasedev.

    1. Log in to the Ranger web UI.
    2. In the HBASE area, click the added service hbasedev.
    3. Click Add New Policy to add an access control policy.
    4. Set the parameters according to Table 2. Use the default values for the parameters that are not listed in the table.
      Table 2 Parameter description

      Parameter

      Description

      Example Value

      Policy Name

      Policy name

      Policy002

      HBase Table

      Name of the HBase table that the policy allows to access

      test1

      HBase Column-family

      Column family of the HBase table that the policy allows to access

      cf1

      HBase Column

      Column name of the table corresponding to the HBase table that the policy allows to access

      name

      Allow Conditions

      • Select Group: user group that the policy allows to access
      • Select User: user in the user group that the policy allows to access
      • Permissions: permissions that the policy allows the user to have
      • Select Group: testuser
      • Select User: testuser
      • Permissions: Create and Select
      Figure 6 Adding an access control policy for hbasedev
    5. Click Add to add the policy. According to the preceding policy, user testuser in the testuser user group has the Create and Select permissions on the cf1:name column in the test1 table of the default namespace in HBase, but no permissions to access other columns.

  7. Update and log in to the HBase client by referring to Quickly Using HBase for Offline Data Analysis, and check whether HBase has been integrated into Ranger.

    1. Log in to the node where the client is installed as the client installation user and run the following commands to go to the HBase shell:

      source /opt/client/bigdata_env

      hbase shell

      Figure 7 Accessing the HBase shell
    2. Add data and check whether Ranger is integrated.
      1. Add data to the cf1:name column in the test1 table.

        put 'test1','001','cf1:name','tom'

      2. Add data to the cf1:age column in the test1 table. If the user has no permission to access this column, the data fails to be added.

        put 'test1','001','cf1:age',10

      Figure 8 Verifying the integration of Ranger with HBase