Providing Authorization with Apache Ranger
Also available as:
PDF
loading table of contents...

Configure a Resource-based Policy: HBase

How to add a new policy to an existing HBase service.

  1. On the Service Manager page, select an existing service under HBase.

    On the Ranger home, a specific service highlighted under a component.
    The List of Policies page appears.
  2. Click Add New Policy.
    The Create Policy page appears.
    Ranger > Create Policy page.
  3. Complete the Create Policy page as follows:
    Table 1. Policy Details

    Label

    Description

    Policy Name Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory.
    HBase Table Select the appropriate database. Multiple databases can be selected for a particular policy. This field is mandatory.
    HBase Column-family For the selected table, specify the column families to which the policy applies.
    HBase Column For the selected table and column families, specify the columns to which the policy applies.
    Description (Optional) Describe the purpose of the policy.
    Audit Logging Specify whether this policy is audited. (De-select to disable auditing).
    Policy Label Specify a label for this policy. You can search reports and filter policies based on these labels.
    Table 2. Allow Conditions

    Label

    Description

    Select Group

    Specify the group to which this policy applies. To designate the group as an Administrator for the chosen resource, specify Admin permissions. (Administrators can create child policies based on existing policies).

    The public group contains all users, so granting access to the public group grants access to all users.

    Select User Specify a particular user to which this policy applies (outside of an already-specified group) OR designate a particular user as Admin for this policy. (Administrators can create child policies based on existing policies).
    Permissions Add or edit permissions: Read, Write, Create, Admin, Select/Deselect All.
    Delegate Admin When a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can update, delete the policies. It can also create child policies based on the original policy (base policy).
  4. You can use the Plus (+) symbol to add additional conditions. Conditions are evaluated in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.
  5. Click Add.

Provide User Access to HBase Database Tables from the Command Line

HBase provides the means to manage user access to HBase database tables directly from the command line. The most commonly-used commands are:

  • GRANT

    Syntax:

    grant '<user-or-group>','<permissions>','<table>

    For example, to create a policy that grants user1 read/write permission on the table usertable, the command would be:

    grant 'user1','RW','usertable'

    The syntax is the same for granting CREATE and ADMIN rights.

  • REVOKE

    Syntax:

    revoke '<user-or-group>','<usertable>'

    For example, to revoke the read/write access of user1 to the table usertable, the command would be:

    revoke 'user1','usertable'
    Note
    Note

    Unlike Hive, HBase has no specific revoke commands for each user privilege.