Updated on 2024-08-16 GMT+08:00

Configuring HBase ACL Security Policies

Function Description

Access rights control is mature in relational databases. HBase provides a simple access rights control feature. This feature is simply implemented in read (R), write (W), creation (C), execution (X), and administration (A) operations. In common mode, this feature is supported only when HBase permission management is enabled.

The Access Control List (ACL) method is defined in the org.apache.hadoop.hbase.security.access.AccessControlClient tool class.

Sample Code

The following code snippets are in the grantACL method in the HBaseExample class of the com.huawei.bigdata.hbase.examples packet.

public void grantACL() {
    LOG.info("Entering grantACL.");

    String user = "usertest";
    String permissions = "RW";

    String familyName = "info";
    String qualifierName = "name";

    Table mt = null;
    Admin hAdmin = null;
    try {
        // Create ACL Instance
        mt = conn.getTable(AccessControlLists.ACL_TABLE_NAME);

        Permission perm = new Permission(Bytes.toBytes(permissions));

        hAdmin = conn.getAdmin();
        HTableDescriptor ht = hAdmin.getTableDescriptor(tableName);

        // Judge whether the table exists
        if (hAdmin.tableExists(mt.getName())) {
            // Judge whether ColumnFamily exists
            if (ht.hasFamily(Bytes.toBytes(familyName))) {
                // grant permission
                AccessControlClient.grant(conn, tableName, user, Bytes.toBytes(familyName),
                        (qualifierName == null ? null : Bytes.toBytes(qualifierName)), perm.getActions());
            } else {
                // grant permission
                AccessControlClient.grant(conn, tableName, user, null, null, perm.getActions());
            }
        }
        LOG.info("Grant ACL successfully.");
    } catch (Throwable e) {
        LOG.error("Grant ACL failed ", e);
    } finally {
        if (mt != null) {
            try {
                // Close
                mt.close();
            } catch (IOException e) {
                LOG.error("Close table failed ", e);
            }
        }

        if (hAdmin != null) {
            try {
                // Close Admin Object
                hAdmin.close();
            } catch (IOException e) {
                LOG.error("Close admin failed ", e);
            }
        }
    }
    LOG.info("Exiting grantACL.");
}

Shell command format:

Command line interface
# Grant permissions.
grant <user> <permissions>[ <table>[ <column family>[ <column qualifier> ] ] ] 
           
# Cancel permission granting.
revoke <user> <permissions> [ <table> [ <column family> [ <column qualifier> ] ] ] 
           
# Set a table owner.
alter <table> {owner => <user>} 
           
# Display a permission list.
user_permission <table>  # displays existing permissions

Example:

grant 'user1', 'RWC' 
grant 'user2', 'RW', 'tableA'
user_permission 'tableA'