Creating HBase Roles¶
Scenario¶
This section guides the system administrator to create and configure an HBase role on Manager. The HBase role can set HBase administrator permissions and read (R), write (W), create (C), execute (X), or manage (A) permissions for HBase tables and column families.
Users can create a table, query/delete/insert/update data, and authorize others to access HBase tables after they set the corresponding permissions for the specified databases or tables on HDFS.
Note
This section applies to MRS 3.x or later clusters.
HBase roles can be created in security mode, but cannot be created in normal mode.
If the current component uses Ranger for permission control, you need to configure related policies based on Ranger for permission management. For details, see Adding a Ranger Access Permission Policy for HBase.
Prerequisites¶
The system administrator has understood the service requirements.
You have logged in to Manager.
Procedure¶
On Manager, choose System > Permission > Role.
On the displayed page, click Create Role and enter a Role Name and Description.
Set Permission. For details, see Table 1.
HBase permissions:
HBase Scope: Authorizes HBase tables. The minimum permission is read (R) and write (W) for columns.
HBase administrator permission: HBase administrator permissions.
Note
Users have the read (R), write (W), create (C), execute (X), and administrate (A) permissions for the tables created by themselves.
Table 1 Setting a role¶ Task
Role Authorization
Setting the HBase administrator permission
In Configure Resource Permission, choose Name of the desired cluster > HBase and select HBase Administrator Permission.
Setting the permission for users to create tables
In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope.
Click global.
In the Permission column of the specified namespace, select Create and Execute. For example, select Create and Execute for the default namespace default.
Setting the permission for users to write data to tables
In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
In the Permission column of the specified namespace, select Write. For example, select Write for the default namespace default. By default, HBase sub-objects inherit the permission from the parent object.
Setting the permission for users to read data from tables
In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
In the Permission column of the specified namespace, select Read. For example, select Read for the default namespace default. By default, HBase sub-objects inherit the permission from the parent object.
Setting the permission for users to manage namespaces or tables
In Configure Resource Permission, choose Name of the desired cluster > HBase > HBase Scope > global.
In the Permission column of the specified namespace, select Manage. For example, select Manage for the default namespace default.
Setting the permission for reading data from or writing data to columns
In Configure Resource Permission, select Name of the desired cluster > HBase > HBase Scope > global and click the specified namespace to display the tables in the namespace.
Click a table.
Click a column family.
Confirm whether you want to create a role?
If yes, enter the column name in the Resource Name text box. Use commas (,) to separate multiple columns. Select Read or Write. If there are no columns with the same name in the HBase table, a newly created column with the same name as the existing column has the same permission as the existing one. The column permission is set successfully.
If no, modify the column permission of the existing HBase role. The columns for which the permission has been separately set are displayed in the table. Go to 5.
To add column permissions for a role, enter the column name in the Resource Name text box and set the column permissions. To modify column permissions for a role, enter the column name in the Resource Name text box and set the column permissions. Alternatively, you can directly modify the column permissions in the table. If the column permissions are modified in the table and column permissions with the same name are added, the settings cannot be saved. You are advised to modify the column permission of a role directly in the table. The search function is supported.
Click OK, and return to the Role page.