ZooKeeper ACLs Best Practices: HBase

You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HBase when provisioning a secure cluster.

ZooKeeper Usage:
- /hbase-unsecure - Default znode for unsecured clusters
- /hbase-secure - Default znode used for secured clusters
Default ACLs:
- /hbase-unsecure - world:hbase:cdrwa
  - All children ZNodes are also world cdrwa
- Open for global read, write protected: world:anyone:r, sasl:hbase:cdrwa
  - /hbase-secure
  - /hbase-secure/master
  - /hbase-secure/meta-region-server
  - /hbase-secure/hbaseid
  - /hbase-secure/table
  - /hbase-secure/rs
- No global read, r/w protected: sasl:hbase:cdrwa:
  - /hbase-secure/acl
  - /hbase-secure/namespace
  - /hbase-secure/backup-masters
  - /hbase-secure/online-snapshot
  - /hbase-secure/draining
  - /hbase-secure/replication
  - /hbase-secure/region-in-transition
  - /hbase-secure/splitWAL
  - /hbase-secure/table-lock
  - /hbase-secure/recovering-regions
  - /hbase-secure/running
  - /hbase-secure/tokenauth
- Security Best Practice ACLs/Permissions and Required Steps:
  - HBase code determines which ACL to enforce based on the configured security mode of the cluster/hbase. Users are not expected to perform any modification of ZooKeeper ACLs on ZNodes and users should not alter any ACLs by hand.