Apache ZooKeeper ACLs
Also available as:
PDF

ZooKeeper ACLs Best Practices: HBase

Best practices for tightening the ZooKeeper ACLs/permissions for HBase when provisioning a secure cluster.

  • ZooKeeper Usage:
    • /hbase-unsecure - Default znode for unsecured clusters

    • /hbase-secure - Default znode used for secured clusters

  • Default ACLs:
    • /hbase-unsecure - world:hbase:cdrwa
      • All children ZNodes are also world cdrwa

    • Open for global read, write protected: world:anyone:r, sasl:hbase:cdrwa
      • /hbase-secure

      • /hbase-secure/master

      • /hbase-secure/meta-region-server

      • /hbase-secure/hbaseid

      • /hbase-secure/table

      • /hbase-secure/rs

    • No global read, r/w protected: sasl:hbase:cdrwa:
      • /hbase-secure/acl

      • /hbase-secure/namespace

      • /hbase-secure/backup-masters

      • /hbase-secure/online-snapshot

      • /hbase-secure/draining

      • /hbase-secure/replication

      • /hbase-secure/region-in-transition

      • /hbase-secure/splitWAL

      • /hbase-secure/table-lock

      • /hbase-secure/recovering-regions

      • /hbase-secure/running

      • /hbase-secure/tokenauth

    • Security Best Practice ACLs/Permissions and Required Steps:
      • HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.