Configuring HBase Access Permissions in Ranger

Updated on 2024-10-08 GMT+08:00

View PDF

After an MRS cluster with Ranger installed is created, HBase access control is not integrated into Ranger. This section describes how to integrate HBase into Ranger.

Log in to the Ranger web UI.
In the Service Manager area, click next to HBASE to add an HBase service.

Figure 1 Adding an HBase service

Set the parameters for adding an HBase service according to Table 1. Use the default values for the parameters that are not listed in the table.

**Table 1** **Parameter description**
Parameter	Description	Example Value
Service Name	Name of the service to be created. The value is fixed to hbasedev.	hbasedev
Username	Set it based on the site requirements.	admin
Password	Set it based on the site requirements.	-
hadoop.security.authentication	HBase authentication mode. The value is fixed to Simple.	Simple
hbase.security.authentication	HBase authentication mode. The value is fixed to Simple.	Simple
hbase.zookeeper.property.clientPort	Port number of ZooKeeper in the HBase cluster.	2181
hbase.zookeeper.quorum	ZooKeeper address in the HBase cluster.	192.168.0.7,192.168.0.8,192.168.0.9
zookeeper.znode.parent	Path of the root node of HBase in ZooKeeper. The value is fixed to /hbase.	/hbase

Figure 2 Creating hbasedev
Click to enlarge

Click Add to add the service.
Start the Ranger HBase plugin to authorize Ranger to manage HBase.
1. On the MRS management console, click the cluster name to go to the cluster details page.
2. Click the Components tab.
3. Choose HBase > Service Configuration and switch Basic to All.
4. Search for hbase.security.authorization and change its value to true (select the first HBase parameter).
  Figure 3 Modifying hbase.security.authorization
5. Search for hbase.coprocessor.master.classes and append ,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor to its original value.
  Figure 4 hbase.coprocessor.master.classes
6. Search for hbase.coprocessor.region.classes and append ,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor to its original value.
  Figure 5 hbase.coprocessor.region.classes
7. Click Save Configuration and select Restart the affected services or instances to restart the HMaster and RegionServer instances.

Create a policy under HBase Service hbasedev.

Log in to the Ranger web UI.
In the HBASE area, click the added service hbasedev.
Click Add New Policy to add an access control policy.

Set the parameters according to Table 2. Use the default values for the parameters that are not listed in the table.

**Table 2** Parameter description
Parameter	Description	Example Value
Policy Name	Policy name	Policy002
HBase Table	Name of the HBase table that the policy allows to access	test1
HBase Column-family	Column family of the HBase table that the policy allows to access	cf1
HBase Column	Column name of the table corresponding to the HBase table that the policy allows to access	name
Allow Conditions	Select Group: user group that the policy allows to access Select User: user in the user group that the policy allows to access Permissions: permissions that the policy allows the user to have	Select Group: testuser Select User: testuser Permissions: Create and Select

Figure 6 Adding an access control policy for hbasedev
Click to enlarge

Click Add to add the policy. According to the preceding policy, user testuser in the testuser user group has the Create and Select permissions on the cf1:name column in the test1 table of the default namespace in HBase, but no permissions to access other columns.

Update and log in to the HBase client by referring to Quickly Using HBase for Offline Data Analysis, and check whether HBase has been integrated into Ranger.
1. Log in to the node where the client is installed as the client installation user and run the following commands to go to the HBase shell:
  source /opt/client/bigdata_env
  
  hbase shell
  
  Figure 7 Accessing the HBase shell
2. Add data and check whether Ranger is integrated.
  1. Add data to the cf1:name column in the test1 table.
    put 'test1','001','cf1:name','tom'
  2. Add data to the cf1:age column in the test1 table. If the user has no permission to access this column, the data fails to be added.
    put 'test1','001','cf1:age',10
  Figure 8 Verifying the integration of Ranger with HBase

Parent topic: Using Ranger (MRS 1.9.2)

Previous topic: Configuring Hive/Impala Access Permissions in Ranger

Next topic: Using Ranger (MRS 3.x)

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot