Adding a Ranger Access Permission Policy for HBase

Scenario

Ranger administrators can use Ranger to configure permissions on HBase tables, column families, and columns for HBase users.

Prerequisites

  • The Ranger service has been installed and is running properly.

  • You have created users, user groups, or roles for which you want to configure permissions.

Procedure

  1. Log in to the Ranger management page.

  2. On the home page, click the component plug-in name in the HBASE area, for example, HBase.

  3. Click Add New Policy to add an HBase permission control policy.

  4. Configure the parameters listed in the table below based on the service demands.

    Table 1 HBase permission parameters

    Parameter

    Description

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    HBase Table

    Name of a table to which the policy applies.

    The value can contain wildcard (*). For example, table1:* indicates all tables in table1.

    The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.

    Note

    The value of hbase.rpc.protection of the HBase service plug-in on Ranger must be the same as that of hbase.rpc.protection on the HBase server. For details, see When an HBase Policy Is Added or Modified on Ranger, Wildcard Characters Cannot Be Used to Search for Existing HBase Tables.

    HBase Column-family

    Name of the column families to which the policy applies.

    The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.

    HBase Column

    Name of the column to which the policy applies.

    The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Policy allowed condition. You can configure permissions and exceptions allowed by the policy.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which the permission is to be granted, click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add the corresponding permission.

    • Read: permission to read data

    • Write: permission to write data

    • Create: permission to create data

    • Admin: permission to manage data

    • Select/Deselect All: Select or deselect all.

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users or user groups will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    To add multiple permission control rules, click image1. To delete a permission control rule, click image2.

    Exclude from Allow Conditions: policy exception conditions

    Deny All Other Accesses

    Whether to reject all other access requests.

    • True: All other access requests are rejected.

    • False: Deny Conditions can be configured.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is similar to that of Allow Conditions.

    The priority of Deny Conditions is higher than that of allowed conditions configured in Allow Conditions.

    Exclude from Deny Conditions: exception rules excluded from the denied conditions

    Table 2 Setting permissions

    Task

    Role Authorization

    Setting the HBase administrator permission

    1. On the home page, click the component plug-in name in the HBase area, for example, HBase.

    2. Select the policy whose Policy Name is all - table, column-family, column and click image3 to edit the policy.

    3. In the Allow Conditions area, select a user from the Select User drop-down list.

    Setting the permission for users to create tables

    1. In HBase Table, specify a table name.

    2. In the Allow Conditions area, select a user from the Select User drop-down list.

    3. Click Add Permissions and select Create.

    4. This user hase the following permissions:

      create table

      drop table

      truncate table

      alter table

      enable table

      flush table

      flush region

      compact

      disable

      enable

      desc

    Setting the permission for users to write data to tables

    1. In HBase Table, specify a table name.

    2. In the Allow Conditions area, select a user from the Select User drop-down list.

    3. Click Add Permissions and select Write.

    4. The user has the put, delete, append, incr and bulkload operation permissions.

    Setting the permission for users to read data from tables

    1. In HBase Table, specify a table name.

    2. In the Allow Conditions area, select a user from the Select User drop-down list.

    3. Click Add Permissions and select Read.

    4. This user hase the get and scan permissions.

    Setting the permission for users to manage namespaces or tables

    1. In HBase Table, specify a table name.

    2. In the Allow Conditions area, select a user from the Select User drop-down list.

    3. Click Add Permissions and select Admin.

    4. The user has the rsgroup, peer, assign and balance operation permissions.

    Setting the permission for reading data from or writing data to columns

    1. In HBase Table, specify a table name.

    2. In HBase Column-family, specify the column family name.

    3. In the Allow Conditions area, select a user from the Select User drop-down list.

    4. Click Add Permissions and select Read and Write.

    Note

    If a user performs the desc operation in hbase shell, the user must be granted the read permission on the hbase:qouta table.

  5. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click image4. To delete a policy validity period, click image5.

  6. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click image6 to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click image7 to delete it.