MapR 5.0 Documentation : Enabling HBase Access Control

Starting in the 3.0 release of the MapR distribution for Hadoop, HBase supports Access Control Lists (ACLs) to limit the privileges of users on the system. To enable HBase ACLs on your cluster, perform the following steps:

  1. On the HBase Region Server, edit the /opt/mapr/hbase/hbase-<version>/conf/hbase-site.xml file and add the following section:
    <property>
        <name>hbase.coprocessor.region.classes</name>
        <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value>
    </property>
    <property>
        <name>hbase.superuser</name>
        <value><admin1>,<admin2>,@<group1>,...</value> <!-- group names are
    prefixed with '@' -->
      </property>
    <property>
        <name>hbase.rpc.engine</name>
        <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
    </property>
    
  2. On the HBase Master, edit the /opt/mapr/hbase/hbase-<version>/conf/hbase-site.xml file and add the following section:
    <property>
        <name>hbase.rpc.engine</name>
        <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
    </property>
    <property>
        <name>hbase.coprocessor.master.classes</name>
        <value>org.apache.hadoop.hbase.security.access.AccessController</value>
    </property>
    <property>
        <name>hbase.superuser</name>
        <value><admin1>,<admin2>,@<group1>,...</value> <!-- group names are
    prefixed with '@' -->
      </property>
    
  3. On every HBase client node, edit the /opt/mapr/hbase/hbase-<version>/conf/hbase-site.xml file and add the following section:
    <property>
        <name>hbase.rpc.engine</name>
        <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
    </property>
    
  4. Restart HBase on every node.

Using HBase ACLs

HBase ACLs support the following privileges:

  • Read
  • Write
  • Create tables
  • Administrator

You can grant and remove privileges from users by using the grant and revoke commands from the HBase shell. The following example grants user jfoo read privileges from column family cf1 of table mytable:

hbase(main):001:0> grant 'jfoo' 'R' 'mytable','cf1'

This example removes user kbar's administrative privileges on the cluster:

hbase(main):001:0> revoke 'kbar' 'A'