The following matrix shows the minimum permission set required to perform operations in HBase. Before using the table, read through the information about how to interpret it.
Interpreting the ACL Matrix Table
The following conventions are used in the ACL Matrix table:
Permissions are evaluated starting at the widest scope and working to the narrowest scope. A scope corresponds to a level of the data model. From broadest to narrowest, the scopes are as follows::
Global
Namespace (NS)
Table
Column Family (CF)
Column Qualifier (CQ)
Cell
For instance, a permission granted at table level dominates any grants done at the Column Family, Column Qualifier, or cell level. The user can do what that grant implies at any location in the table. A permission granted at global scope dominates all: the user is always allowed to take that action everywhere.
Possible permissions include the following:
Superuser - a special user that belongs to group "supergroup" and has unlimited access
Admin (A)
Create (C)
Write (W)
Read (R)
Execute (X)
For the most part, permissions work in an expected way, with the following caveats:
Having Write permission does not imply Read permission. It is possible and sometimes desirable for a user to be able to write data that same user cannot read. One such example is a log-writing process.
The hbase:meta table is readable by every user, regardless
of the user's other grants or restrictions. This is a requirement for HBase to
function correctly.
CheckAndPut and CheckAndDelete operations will fail if
the user does not have both Write and Read permission.
Increment and Append operations do not require Read
access.
The following table is sorted by the interface that provides each operation. In case the
table goes out of date, the unit tests which check for accuracy of permissions can be found
in
hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java,
and the access controls themselves can be examined in
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java.
Table D.1. ACL Matrix
| Interface | Operation | Minimum Scope | Minimum Permission |
|---|---|---|---|
|
Master |
createTable |
Global |
C |
|
modifyTable |
Table |
A|C | |
|
deleteTable |
Table |
A|C | |
|
truncateTable |
Table |
A|C | |
|
addColumn |
Table |
A|C | |
|
modifyColumn |
Table |
A|C | |
|
deleteColumn |
Table |
A|C | |
|
disableTable |
Table |
A|C | |
|
disableAclTable |
None |
Not allowed | |
|
enableTable |
Table |
A|C | |
|
move |
Global |
A | |
|
assign |
Global |
A | |
|
unassign |
Global |
A | |
|
regionOffline |
Global |
A | |
|
balance |
Global |
A | |
|
balanceSwitch |
Global |
A | |
|
shutdown |
Global |
A | |
|
stopMaster |
Global |
A | |
|
snapshot |
Global |
A | |
|
clone |
Global |
A | |
|
restore |
Global |
A | |
|
deleteSnapshot |
Global |
A | |
|
createNamespace |
Global |
A | |
|
deleteNamespace |
Namespace |
A | |
|
modifyNamespace |
Namespace |
A | |
|
flushTable |
Table |
A|C | |
|
getTableDescriptors |
Global|Table |
A | |
|
mergeRegions |
Global |
A | |
| Region | open | Global | A |
|
openRegion |
Global |
A | |
| close | Global | A | |
|
closeRegion |
Global |
A | |
|
stopRegionServer |
Global |
A | |
|
rollHLog |
Global |
A | |
|
mergeRegions |
Global |
A | |
| append | Table|CF|CQ | W | |
| delete | Table|CF|CQ|Cell (if the user has write permission for all cells) | W | |
| exists | Table|CF|CQ | R | |
| get | Table|CF|CQ | R | |
| getClosestRowBefore | Table|CF|CQ | R | |
| increment | Table|CF|CQ | W | |
| put | Table|CF|CQ | W | |
|
flush |
Global|Table |
A|C | |
|
split |
Global|Table |
A | |
|
compact |
Global|Table |
A|C | |
| bulkLoadHFile | Table | W | |
| prepareBulkLoad | Table | C | |
| cleanupBulkLoad | Table | W | |
| checkAndDelete | Table|CF|CQ | RW | |
| checkAndPut | Table|CF|CQ | RW | |
| incrementColumnValue | Table|CF|CQ | RW | |
| scannerClose | Table | R | |
| scannerNext | Table | R | |
| scannerOpen | Table|CQ|CF | R | |
|
Endpoint |
invoke | Endpoint |
X |
|
AccessController |
grant | Global|Table|NS |
A |
|
revoke | Global|Table|NS |
A | |
|
getUserPermissions |
Global|Table|NS |
A | |
|
checkPermissions |
Global|Table|NS |
A |